Mar 12, 2024The Hacker NewsCTEM / Vulnerability Management

In a world of ever-expanding jargon, adding another FLA (Four-Letter Acronym) to your glossary might seem like the last thing you’d want to do. But if you are looking for ways to continuously reduce risk across your environment while making significant and consistent improvements to security posture, in our opinion, you probably want to consider establishing a Continuous Threat Exposure Management (CTEM) program.

CTEM is an approach to cyber risk management that combines attack simulation, risk prioritization, and remediation guidance in one coordinated process. The term Continuous Threat Exposure Management first appeared in the Gartner ® report, Implement a Continuous Threat Exposure Management Program (CTEM) (Gartner, 21 July 2022,). Since then, we have seen that organizations across the globe are seeing the benefits of this integrated, continual approach.

Webinar: Why and How to Adopt the CTEM Framework

XM Cyber is hosting a webinar featuring Gartner VP Analyst Pete Shoard about adopting the CTEM framework on March 27 and even if you cannot join, we will share an on-demand link, don’t miss it!

Focus on Areas With the Most Risk

But why is CTEM popular, and more importantly, how does it improve upon the already overcrowded world of Vulnerability Management?

Central to CTEM is the discovery of real, actionable risk to critical assets. Anyone can identify security improvements in an organization’s environment. The issue isn’t finding exposures, it’s being overwhelmed by them – and being able to know which pose the most risk to critical assets.

In our opinion, a CTEM program helps you:

1. Identify your most exposed assets, along with how an attacker might leverage them
2. Understand the impact and likelihood of potential breaches
3. Prioritize the most urgent risks and vulnerabilities
4. Get actionable recommendations on how to fix them
5. Monitor your security posture continuously and track your progress

With a CTEM program, you can get the “attacker’s view”, cross referencing flaws in your environment with their likelihood of being used by an attacker. The result is a prioritized list of exposures to address, including ones that can safely be addressed later.

The Five Stages of a CTEM Program

Rather than a particular product or service, CTEM is a program that reduces cyber security exposures via five stages:

1. Scoping – According to Gartner, “To define and later refine the scope of the CTEM initiative, security teams need first to understand what is important to their business counterparts, and what impacts (such as a required interruption of a production system) are likely to be severe enough to warrant collaborative remedial effort.”
2. Discovery – Gartner says, “Once scoping is completed, it is important to begin a process of discovering assets and their risk profiles. Priority should be given to discovery in areas of the business that have been identified by the scoping process, although this isn’t always the driver. Exposure discovery goes beyond vulnerabilities: it can include misconfiguration of assets and security controls, but also other weaknesses such as counterfeit assets or bad responses to a phishing test.”
3. Prioritization – In this stage, says Gartner, “The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization.” Gartner further notes that “Organizations cannot handle the traditional ways of prioritizing exposures via predefined base severity scores, because they need to account for exploit prevalence, available controls, mitigation options and business criticality to reflect the potential impact onto the organization.
4. Validation – This stage, according to Gartner, “is the part of the process by which an organization can validate how potential attackers can actually exploit an identified exposure, and how monitoring and control systems might react.” Gartner also notes that the objectives for Validation step includes to “assess the likely “attack success” by confirming that attackers could really exploit the previously discovered and prioritized exposures.
5. Mobilization – Says Gartner, “To ensure success, security leaders must acknowledge and communicate to all stakeholders that remediation cannot be fully automated.” The report further notes that, “the objective of the “mobilization” effort is to ensure the teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation deployments. It requires organizations to define communication standards (information requirements) and documented cross-team approval workflows.”

CTEM vs. Alternative Approaches

There are several alternative approaches to understanding and improving security posture, some of which have been in use for decades.

• Vulnerability Management/RBVM focuses on risk reduction through scanning to identify vulnerabilities, then prioritizing and fixing them based on a static analysis. Automation is essential, given the number of assets that need to be analyzed, and the ever-growing number of vulnerabilities identified. But RBVM is limited to identifying CVEs and doesn’t address identity issues and misconfigurations. Furthermore, it doesn’t have information required to properly prioritize remediation, typically leading to pervasive backlogs.
• Red Team exercises are manual, expensive, point-in-time tests of cyber security defenses. They seek to identify whether or not a successful attack path exists at a particular point in time, but they can’t identify the full array of risks.
• Similarly, Penetration Testing uses a testing methodology as its assessment of risk, and it provides a point-in-time result. Since it involves active interaction with the network and systems, it’s typically limited with respect to critical assets, because of the risk of an outage.
• Cloud Security Posture Management (CSPM) focuses on misconfiguration issues and compliance risks solely in cloud environments. While important, it doesn’t consider remote employees, on-premises assets, or the interactions between multiple cloud vendors. These solutions are unaware of the full path of attack risks that cross between different environments—a common risk in the real world.

It is our opinion that a CTEM program-based approach offers the advantages of:

• Covering all assets—cloud, on-premises, and remote—and knowing which ones are most critical.
• Continuously discovering all types of exposures—traditional CVEs, identities, and misconfigurations.
• Presenting real-world insights into the attacker view
• Prioritizing remediation efforts to eliminate those paths with the fewest fixes
• Providing remediation advice for reliable, repeated improvements

The Value of CTEM

We feel that the CTEM approach has substantial advantages over alternatives, some of which have been in use for decades. Fundamentally, organizations have spent years identifying exposures, adding them to never-ending “to do” lists, expending countless time plugging away at those lists, and yet not getting a clear benefit. With CTEM, a more thoughtful approach to discovery and prioritization adds value by:

• Quickly reducing overall risk
• Increasing the value of each remediation, and potentially freeing up resources
• Improving the alignment between security and IT teams
• Providing a common view into the entire process, encouraging a positive feedback loop that drives continuous improvement

Getting Started with CTEM

Since CTEM is a process rather than a specific service or software solution, getting started is a holistic endeavor. Organizational buy-in is a critical first step. Other considerations include:

• Supporting processes and data collection with the right software components
• Defining critical assets and updating remediation workflows
• Executing upon the right system integrations
• Determining proper executive reporting and an approach to security posture improvements

In our view, with a CTEM program, organizations can foster a common language of risk for Security and IT; and ensure that the level of risk for each exposure becomes clear. This enables the handful of exposures that actually pose risk, among the many thousands that exist, to be addressed in a meaningful and measurable way.

For more information on how to get started with your CTEM program, check out XM Cyber’s whitepaper, XM Cyber on Operationalizing The Continuous Threat Exposure Management (CTEM) Framework by Gartner®.

Mar 11, 2024NewsroomRansomware / Vulnerability

The threat actors behind the BianLian ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their extortion-only attacks.

According to a new report from GuidePoint Security, which responded to a recent intrusion, the incident “began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian’s Go backdoor.”

BianLian emerged in June 2022, and has since pivoted exclusively to exfiltration-based extortion following the release of a decryptor in January 2023.

The attack chain observed by the cybersecurity firm entails the exploitation of a vulnerable TeamCity instance using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-exploitation and lateral movement.

It’s currently not clear which of the two flaws were weaponized by the threat actor for infiltration.

BianLian actors are known to implant a custom backdoor tailored to each victim written in Go, as well as drop remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer. The backdoor is tracked by Microsoft as BianDoor.

“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor,” security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said.

The obfuscated PowerShell backdoor (“web.ps1”) is designed to establish a TCP socket for additional network communication to an actor-controlled server, allowing the remote attackers to conduct arbitrary actions on an infected host.

“The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker’s post-exploitation objectives,” the researchers said.

The disclosure comes as VulnCheck detailed fresh proof-of-concept (PoC) exploits for a critical security flaw impacting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) that could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory.

The flaw has since been weaponized to deploy C3RB3R ransomware, cryptocurrency miners and remote access trojans over the past two months, indicating widespread exploitation in the wild.

“There’s more than one way to reach Rome,” VulnCheck’s Jacob Baines noted. “While using freemarker.template.utility.Execute appears to be the popular way of exploiting CVE-2023-22527, other more stealthy paths generate different indicators.”

Feb 28, 2024NewsroomFirmware Security / Vulnerability

In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember.

The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia’s Main Directorate of the General Staff (GRU), is known to be active since at least 2007.

APT28 actors have “used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” the authorities said [PDF].

The adversary’s use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.

MooBot attacks entail targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 acquiring this access to deliver bash script and other ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling.

This includes Python scripts to upload account credentials belonging to specifically targeted webmail users, which are collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.

APT28 has also been linked to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a now-patched critical privilege escalation flaw in Microsoft Outlook that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines utilizing compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

“With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” the agencies noted.

Organizations are recommended to perform a hardware factory reset of the routers to flush file systems of malicious files, upgrade to the latest firmware version, change default credentials, and implement firewall rules to prevent exposure of remote management services.

The revelations are a sign that nation-state hackers are increasingly using routers as a launchpad for attacks, using them to create botnets such as VPNFilter, Cyclops Blink, and KV-botnet and conduct their malicious activities.

The bulletin arrives a day after the Five Eyes nations called out APT29 – the threat group affiliated with Russia’s Foreign Intelligence Service (SVR) and the entity behind the attacks on SolarWinds, Microsoft, and HPE – for employing service accounts and dormant accounts to access cloud environments at target organizations.

Feb 27, 2024The Hacker NewsMalware / Network Security

An “intricately designed” remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost.

Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a “comprehensive set of features for remote system management,” according to its developer, who goes by the name moom825.

It includes a SOCKS5 reverse proxy and the ability to record real-time audio, as well as incorporate a hidden virtual network computing (hVNC) module along the lines of DarkVNC, which allows attackers to gain remote access to an infected computer.

“Xeno RAT is developed entirely from scratch, ensuring a unique and tailored approach to remote access tools,” the developer states in the project description. Another notable aspect is that it has a builder that enables the creation of bespoke variants of the malware.

It’s worth noting that the moom825 is also the developer of another C#-based RAT called DiscordRAT 2.0, which has been distributed by threat actors within a malicious npm package named node-hide-console-windows, as disclosed by ReversingLabs in October 2023.

Cybersecurity firm Cyfirma, in a report published last week, said it observed Xeno RAT being disseminated via the Discord content delivery network (CDN), once again underscoring how a rise in affordable and freely available malware is driving an increase in campaigns utilizing RATs.

“The primary vector in the form of a shortcut file, disguised as a WhatsApp screenshot, acts as a downloader,” the company said. “The downloader downloads the ZIP archive from Discord CDN, extracts, and executes the next stage payload.”

The multi-stage sequence leverages a technique called DLL side-loading to launch a malicious DLL, while simultaneously taking steps to establish persistence and evade analysis and detection.

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed the use of a Gh0st RAT variant called Nood RAT that’s used in attacks targeting Linux systems, allowing adversaries to harvest sensitive information.

“Nood RAT is a backdoor malware that can receive commands from the C&C server to perform malicious activities such as downloading malicious files, stealing systems’ internal files, and executing commands,” ASEC said.

“Although simple in form, it is equipped with the encryption feature to avoid network packet detection and can receive commands from threat actors to carry out multiple malicious activities.”

On Thanksgiving Day 2023, while many Americans were celebrating, hospitals across the U.S. were doing quite the opposite. Systems were failing. Ambulances were diverted. Care was impaired. Hospitals in three states were hit by a ransomware attack, and in that moment, the real-world repercussions came to light—it wasn’t just computer networks that were brought to a halt, but actual patient care itself.

Cybercriminals are more brazen than ever, targeting smaller healthcare organizations for big payouts. Sure, it would be nice to believe thieves once lived by a code of conduct, but if one ever existed, it’s been torn to shreds and tossed into the wind. Sophisticated hacker groups are now more than happy to launch cyberattacks on medical clinics, nursing homes, and other health service providers. Small- to mid-sized healthcare organizations have, unfortunately, become vulnerable targets from which cybercriminals can easily steal sensitive data, extort heavy ransoms, and, worst of all, diminish critical patient care.

Ransomware and Phishing Attacks are Spreading at an Unhealthy Rate

If you work in healthcare, everything you do is important. That’s why the frequency by which healthcare organizations now come under attack is so concerning. According to the U.S. Department of Health and Human Services (HHS), there’s been a 93% increase in large breaches from 2018 to 2022. In that same period, there’s been a 278% increase in breaches involving ransomware.

Ransomware doesn’t just hold your pocketbook hostage, but also your patients’ safety. At best, you’re locked out of your systems for a moment. At worst, patient care is radically compromised. This is especially alarming if you service smaller communities, where the local population relies on your clinic, cancer center, or physician’s office as the first and last lines of critical care.

Your patients are obviously your top priority, but you also have to consider the dollars at stake. The HIPAA Journal notes that in 2021, the average ransomware payment in the healthcare industry was $197,000. And that’s an increase of 33% from the prior year!

Phishing—fraudulent emails disguised as legitimate sources attempting to solicit personal information—is now the most popular means of attack. In fact, The HIPAA Journal cites that more than 90% of cyberattacks on healthcare organizations are phishing scams. That means carelessly clicking on one email can have dire consequences for your staff, your patients, and your operation.

Aside from the potential financial burden inflicted by cybercriminals, Health Insurance Portability and Accountability Act (HIPAA) fines can also be debilitating. If you fall prey to data breaches, you can potentially be fined tens of thousands of dollars per violation. Case in point, a medical group in Louisiana recently paid a staggering fine of $480,000, settling the first-ever cyberattack investigation conducted by HHS’ Office for Civil Rights. This was all the result of a basic phishing scam where a cybercriminal gained access to the medical group’s Microsoft 365 environment, the storage point for their patients’ protected health information (PHI).

More Endpoints and Fewer Resources Make Healthcare Easier Targets

Simply put, effective cybersecurity needs both advanced technology and human expertise. However, according to the report, The State of Cybersecurity for Mid-Sized Businesses in 2023, Huntress discovered over 60% of respondents didn’t have any dedicated cybersecurity experts on staff. That’s because many small- and mid-sized businesses (SMBs) are constrained, struggling to attain just one of these core components. Due to a variety of economic factors, SMBs—both within and beyond healthcare—have had to reduce budgets, which means foregoing much-needed investments in cybersecurity products and people.

According to the Healthcare Information and Management Systems Society (HIMSS), healthcare organizations typically spend less than 6% of their overall IT budgets on cybersecurity. Making matters worse, there’s a profound shortage of cybersecurity talent, so filling internal roles with qualified candidates has become a rising challenge. And with top talent being few and far between, the best candidates are commanding top-level salaries, which at times are out of reach for smaller healthcare organizations.

Aging tech isn’t helping matters either. Outdated equipment and legacy operating systems have become easy points of access for cybercriminals. Therefore, smaller healthcare organizations are ideal targets due to weaker defenses. With limited budgets and less manpower, your IT team may be stretched thin or may not possess the cybersecurity expertise to manage evolving cyber threats.

Adding to the chaos, there are more endpoints to protect than ever before. Over the past decade, most notably throughout COVID, remote work and telehealth have grown significantly. The good news is patients can now receive care from the comfort of their own homes, and providers like you can monitor and assist them from off-site. However, this level of care demands more avenues to access data, specifically via tablets, laptops, and mobile devices. Conversely, this also means there are now more attack surfaces for unscrupulous actors to access your data.

The Threat Landscape is Evolving, for the Worse

One reason threats are becoming more frequent is because cybercriminals are becoming more organized. And more ruthless. It’s no longer a mischievous loner in a dark basement, hunched over a monitor, hiding behind a black hoodie. These are sophisticated criminal entities that can carry out carefully choreographed heists. Imagine Ocean’s Eleven, but with less style and far less remorse.

U.S. intelligence has even uncovered hacking groups tied to hostile nations. Also known as advanced persistent threats (APTs), these state-sponsored cybercriminals have the means to debilitate everything from water-treatment plants to natural gas pipelines to electric grids. If these groups have grown powerful enough to take out military and civilian infrastructure, your small- to mid-sized healthcare organization is no challenge. For them, you’re just a drive-by ATM.

In the Huntress report, The State of Cybersecurity for Mid-Sized Businesses in 2023, it was revealed that nearly 25% of SMBs have either suffered a cyberattack or didn’t even realize they had suffered one in the past year.

Cybercriminals are now hiding in plain sight. They’ve advanced beyond the point of standard ransomware tactics, and they’re “blending into” your normal IT operations to exploit built-in system functionalities. This makes it easier for them to gain control over legitimate applications, such as remote monitoring and management (RMM), to manipulate your systems. For instance, cybercriminals can use living-off-the-land binaries (LOLBins)—trusted executables pre-installed on your operating systems—and exploit them for malicious intent. If these threat actors are no longer just relying on custom malware, then your standard spam filters or anti-malware solutions just aren’t enough. Therefore, you need visibility into your entire security system.

You Can Take Action Now with a Few Solutions

When it comes to healthcare cybersecurity, there’s a lot on the line—including lives—so it’s important that organizations like yours are vigilant and proactive. Because no single layer of your security is completely safe anymore, you must adopt a defense-in-depth approach.

This entails creating layers to your defenses with solutions such as intrusion prevention, data encryption, threat detection, patch management, and more. So if a threat bypasses one of these countermeasures, there’s another layer to stop it from slipping through the cracks. A layered approach, however, likely requires ongoing monitoring and fine-tuning. If you happen to lack the in-house resources and expertise to manage your cybersecurity, rest assured there are a variety of simple solutions you can still implement to achieve effective protection, with one of the most potent being a managed EDR.

Security Awareness Training (SAT)

Introduce SAT to educate your staff on cybersecurity best practices. These programs can include phishing simulations and relevant cyber threat lessons that can guide them to make smarter decisions to keep your organization and your patients safe. When it comes to SAT programs, it’s advised you introduce engaging, story-driven lessons, as those are proven to be more effective for knowledge retention.

Multi-Factor Authentication (MFA)

MFA adds an extra layer of protection by requiring your staff to use a second verification factor, such as a personal phone or a security token, to gain access to an account. You’ve likely seen MFA used when logging into your banking app or even your go-to streaming service. The benefit of MFA is it goes beyond usernames and passwords, which can easily be lost, forgotten, or stolen.

Managed EDR

This can be the most powerful and cost-effective solution for your healthcare organization. By coupling advanced technology with human-led analysis, a managed EDR performs critical cybersecurity tasks on your behalf, namely:

• Monitoring and collecting endpoint data
• Detecting and investigating threats
• Triaging alerts
• Providing actionable remediation steps, including one-click solutions

Easy to deploy, Huntress Managed EDR is fully managed and monitored by a 24/7 Security Operations Center. These cybersecurity experts have your back from the first signs of suspicious activity all the way to remediation.

Huntress Safeguards Healthcare’s Cybersecurity Needs

As healthcare organizations sit in the crosshairs of cybercriminals, it’s absolutely vital you keep your defenses up. This is especially important in a world marked by ever-expanding threats and shrinking budgets.

Cybercriminals are now smarter, more coordinated, and definitely more unforgiving. They don’t care who they hurt, just so long as they can turn a quick profit. Therefore, it’s critical you bolster your cybersecurity in order to protect your organization, your staff, and your patients.

Building a thorough defense infrastructure, however, requires sizable capital, resources, and expertise. While smaller healthcare organizations can find it difficult to prioritize these, there are solutions. Evaluate potential risks. Educate your staff on cyber threats. And adopt a managed EDR. Just like in medicine, even the most basic preventive measures can stop the spread of something far more harmful.

Schedule a Trial Today

Huntress can help healthcare organizations like yours remain secure from ever-evolving cybersecurity threats. Schedule your free trial today.

Attending HIMSS 2024?

In Orlando, from March 11 to 15, you can visit Huntress in Booth 1616. Come learn more about how Huntress can help your healthcare organization thwart cyberattacks.

Jan 11, 2024NewsroomCybersecurity / Software Security

The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolvers, command-and-control, and data exfiltration points.

“Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult,” Recorded Future said in a report shared with The Hacker News.

The cybersecurity firm described the approach as “living-off-trusted-sites” (LOTS), a spin on the living-off-the-land (LotL) techniques often adopted by threat actors to conceal rogue activity and fly under the radar.

Prominent among the methods by which GitHub is abused relates to payload delivery, with some actors leveraging its features for command-and-control (C2) obfuscation. Last month, ReversingLabs detailed a number of rogue Python packages that relied on a secret gist hosted on GitHub to receive malicious commands on the compromised hosts.

While full-fledged C2 implementations in GitHub are uncommon in comparison to other infrastructure schemes, its use by threat actors as a dead drop resolver – wherein the information from an actor-controlled GitHub repository is used to obtain the actual C2 URL – is a lot more prevalent, as evidenced in the case of malware like Drokbk and ShellBox.

Also rarely observed is the abuse of GitHub for data exfiltration, which, per Recorded Future, is likely due to file size and storage limitations and concerns around discoverability.

Outside of these four main schemes, the platform’s offerings are put to use in various other ways in order to meet infrastructure-related purposes. For instance, GitHub Pages have been used as phishing hosts or traffic redirectors, with some campaigns utilizing a GitHub repository as a backup C2 channel.

The development speaks to the broader trend of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord being exploited by threat actors. This also includes other source code and version control platforms like GitLab, BitBucket, and Codeberg.

“There is no universal solution for GitHub abuse detection,” the company said. “A mix of detection strategies is needed, influenced by specific environments and factors such as the availability of logs, organizational structure, service usage patterns, and risk tolerance, among others.”

Jan 05, 2024NewsroomEndpoint Security / Malware

Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors.

“SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control] server,” security researcher Greg Lesnewich said.

The malware shares similarities with KANDYKORN (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host.

It’s worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as RustBucket and a late-stage payload dubbed ObjCShellz.

In recent months, the threat actor has been observed combining disparate pieces of these two infection chains, leveraging RustBucket droppers to deliver KANDYKORN.

The latest findings are another sign that North Korean threat actors are increasingly setting their sights on macOS to infiltrate high-value targets, particularly those within the cryptocurrency and the blockchain industries.

“TA444 keeps running fast and furious with these new macOS malware families,” Lesnewich said.

Security researcher Patrick Wardle, who shared additional insights into the inner workings of SpectralBlur, said the Mach-O binary was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia.

The functional similarities between KANDYKORN and SpectralBlur have raised the possibility that they may have been built by different developers keeping the same requirements in mind.

What makes the malware stand out are its attempts to hinder analysis and evade detection while using grantpt to set up a pseudo-terminal and execute shell commands received from the C2 server.

The disclosure comes as a total of 21 new malware families designed to target macOS systems, including ransomware, information stealers, remote access trojans, and nation-state-backed malware, were discovered in 2023, up from 13 identified in 2022.

“With the continued growth and popularity of macOS (especially in the enterprise!), 2024 will surely bring a bevy of new macOS malware,” Wardle noted.

Dec 16, 2023NewsroomOnline Security / Cybercrime

Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it’s tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.

The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens.

“After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity,” the tech giant said in a series of posts on X (formerly Twitter).

The foothold obtained in this manner further acts as a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources in order to grab sensitive information, specifically going after gift card-related services to facilitate fraud.

On top of that, Storm-0539 collects emails, contact lists, and network configurations for follow-on attacks against the same organizations, necessitating the need for robust credential hygiene practices.

Redmond, in its monthly Microsoft 365 Defender report published last month, described the adversary as a financially motivated group that has been active since at least 2021.

“Storm-0539 carries out extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access,” it said.

“The actor is well-versed in cloud providers and leverages resources from the target organization’s cloud services for post-compromise activities.”

The disclosure comes days after the company said it obtained a court order to seize the infrastructure of a Vietnamese cybercriminal group called Storm-1152 that sold access to approximately 750 million fraudulent Microsoft accounts as well as identity verification bypass tools for other technology platforms.

Earlier this week, Microsoft also warned that multiple threat actors are abusing OAuth applications to automate financially motivated cyber crimes, such as business email compromise (BEC), phishing, large-scale spamming campaigns, and deploy virtual machines to illicitly mine for cryptocurrencies.