GoldenJackal Breaches the air-gap

The threat actor is using custom malware to infiltrate air-gapped systems

A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -

↘️ CrowdStrike apologized to the Committee on Homeland Security in a public testimony for a July incident that crashed millions of Windows systems worldwide following a faulty July 19 content configuration update, and highlighted the steps the company has implemented since then to prevent a failure of this magnitude to happen again by overhauling its testing and rollout processes. The outage has raised the issue of whether it is appropriate for products like CrowdStrike's to enjoy kernel-level access to Windows, but the security vendor defended the need for such entrenched access to fend off adversaries. Microsoft, in a related move, said it's abiding by a comprehensive approach to cybersecurity as part of its Secure Future Initiative (SFI). It also it eliminated 730,000 unused applications and 5.75 million inactive tenants within its cloud environment. [Committee on Homeland Security / Microsoft]

↘️ While there is a steady stream of academic research into the various ways data can be pilfered from air-gapped systems, a little-known threat actor called GoldenJackal has been found devising two different custom toolsets to infiltrate such machines using a worm that can spread via compromised USB drives. The attacks targeted a South Asian embassy in Belarus and a European Union (E.U.) government organization, according to ESET. [The Hacker News]

via GIPHY

↘️ High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony. [The Hacker News]

↘️ Chinese threat actors are increasingly targeting edge network devices for follow-on targeted attacks against specific organizations of high value. “Edge network devices are high-value targets that well-resourced adversaries use for both initial access and persistence,” Sophos said. “Threat actors use edge devices as operational relay boxes (ORBs) to attack onward targets and obfuscate the true origin of attacks.” [WIRED / The Hacker News]

↘️ Scammers are using images from Google’s Street view to extort internet users as part of sextortion scams. “Attached to these emails are PDF documents containing the language expected from sextortion emails with the twist of including an image of the target’s supposed home or place of work,” Cofense said. “The images used are not always of their residence; instead, they might just be pictures of the street or the environment around it.” In a second variant, threat actors have been found using Deepfin, a Lithuanian free-to-use invoice generation platform, to send the sextortion emails. Other tactics observed in phishing campaigns include the use of GitHub, ASCII QR codes, TikTok URLs, and HR-themed employee handbook lures to redirect users to malicious sites. [Cofense]

↘️ A new campaign dubbed Chaya_002 is leveraging fake Google Chrome, Microsoft Edge, and Teams installers to deliver a malware dubbed capable of conducting reconnaissance of compromised systems for likely follow-on attacks. The delivery mechanisms are similar to that of ClearFake, SocGholish, FakeSG, and Scarlet Goldfinch. “We hypothesize that perpetrators may be attempting to gain initial access to a customer’s network through SEO-Poisoning when users Windows search returns web search results,” the researchers said. [Forescout]

via Red Canary

↘️ Speaking of SocGholish, a new fake browser campaign targeting users in France is taking advantage of compromised websites to serve bogus browser and application update notices that spread a new version of the WARMCOOKIE backdoor. [Gen Threat Labs]

↘️ In what appears to be a malware campaign targeting malicious actors, hackers are advertising a fake OnlyFans checker tool that claims to help validate stolen account credentials but instead infects them with the Lumma stealer information-stealing malware. “These ‘checkers’ are the digital lockpicks of the modern age, promising easy access to a treasure trove of sensitive information and potential financial gain,” researchers pointed out. “However, as our investigation reveals, sometimes these tools are Trojan horses, designed to ensnare the very criminals seeking to use them.” As they say, there is no honor among thieves. [Veriti]

↘️ A group of researchers from Pennsylvania State University have uncovered a series of security flaws in different 5G basebands from Samsung, MediaTek, and Qualcomm — processors used by cell phones to connect to mobile networks — which could have allowed hackers to stealthily hack victims and spy on them. The findings were made possible by means of a framework named 5GBaseChecker. [GitHub]

↘️ New research has found that the electromagnetic waves that unintentionally emanate from the cables and connectors, particularly HDMI, could be made more effective to process sensitive information captured by software-defined radios by making use of a deep learning architecture. “The HDMI cable and connectors emit unintended electromagnetic signals, which are captured by the SDR and processed by gr-tempest, obtaining a degraded complex-valued image, which in turn is fed to a convolutional neural network to infer the source image,” the study said. [arXiv]

↘️ Details have emerged about a now-patched security flaw in Microsoft Windows that, if successfully exploited, could allow an attacker to gain SYSTEM privileges. The vulnerability, tracked as CVE-2024-30089 (CVSS score: 7.8), is rooted in the Microsoft Streaming Service, and was addressed by the tech giant in June 2024. [IBM X-Force]

↘️ The Bitter APT group, recognized for its sophisticated cyber espionage activities targeting East and South Asia, has been spotting deploying a new malware known as MiyaRat, which is capable of harvesting system information, capturing screenshots, performing file uploads and downloads, and exfiltrating data to its command-and-control (C2) server, where it waits for further instructions. [QiAnXin]

↘️ Hundreds of companies have fallen victim to the North Korean fake IT worker schemes, and some of them received ransom demands after the intruders gained insider access for additional monetary gain in exchanger not leaking intellectual property. Using stolen or falsified identities, these individuals apply for jobs at legitimate companies and, if hired, use their access to steal data and gain insight into the organization’s infrastructure. The findings show that these employments sometimes morph into broader efforts to plunder sensitive data and extort the companies for larger payments. The observed tactics, techniques, and procedures (TTPs) in these attacks align with those previously associated with the threat actor, such as requesting changes to delivery addresses for corporate laptops, avoiding video calls, requesting permission to use a personal laptop, showing preference for a virtual desktop infrastructure (VDI) setup, and updating bank account information often in a short timeframe. [The Hacker News / CyberScoop]

↘️ The Council of the European Union has formally adopted the Cyber Resilience Act, a new law that will ensure that connected devices — including consumer products such as smart doorbells, televisions and toys, as well as commercial devices such as IP cameras — meet new cybersecurity requirements before going to market. The regulation will apply to all products that are connected either directly or indirectly to another device or to a network. [European Council]

↘️ Cybersecurity researchers have discovered a malware campaign that distributes the Lumma Stealer via GitHub and YouTube comments containing links to an encrypted archive hosted on mediafire[.]com. Lumma Stealer has also been observed propagated via a malvertising campaign dubbed AliGater that targets users who are using outdated versions of Windows and Chrome. “Like other malvertising platforms, they rely on legitimate ad services to redirect unsuspecting victims to their gateway,” Avast said. “This gateway fingerprints the user, filters out potential victims and then redirects them to a malicious domain that will try to exploit vulnerabilities in their system. These exploits attempt to stealthily deploy the final payload using common tricks, such as embedding it within multiple legitimate-looking processes and threads.” [Gen]

↘️ A security flaw has been disclosed in AI-enabled Wyze Cam devices (CVE-2024-37066, CVSS score: 6.8) that could be abused to root them, upload malicious packages through QR codes, and attack the underlying model. [Hidden Layer]

↘️ The North Korea-linked Lazarus Group has been linked to an elaborate social engineering campaign that has tricked cryptocurrency users to visiting a website called DeTankZone and downloading a booby-trapped executable. The file is a fully-functional game that’s also designed to execute shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads, including a known backdoor called Manuscrypt. What’s notable about this attack is that it also exploits a now-patched security flaw in Google Chrome (CVE-2024-4947) to trigger code execution by breaking out of the V8 sandbox. Easily among the most prolific and dangerous cyber threat actors in operation, it’s been assessed that many of the group’s financially motivated attacks, including those involving ransomware, card-skimming, and cryptocurrency users, are really attempts to generate revenue for the cash-strapped nation. It has been established repeatedly that North Korean advanced persistent threats (APTs) are particularly adept at using social engineering to steal crypto in threat campaigns aimed to gather funds to support the country’s nuclear program as well as other endeavors. [The Hacker News]

↘️ A high-severity security flaw (CVE-2024-6333, CVSS score: 7.2) impacting Xerox printers (EC80xx, AltaLink, VersaLink, WorkCentre) could have allowed an attacker with administrative web credentials to fully compromise the devices with root privileges on the operating system. [SEC Consult]

↘️ The U.S Department of Justice has announced charges against a 34-year-old Buffalo police detective, Terrance Michael Ciszek, who allegedly bought 194 stolen credentials and on the now-defunct Genesis Market between March 16 and July 29, 2020. Ciszek is also alleged to have had bitcoin wallet addresses associated with UniCC, a dark web carding website that voluntarily shut down in January 2022. He faces a maximum penalty of 10 years in prison. [DoJ]

↘️ Law enforcement agencies in six countries announced disruption of infrastructure associated with the RedLine and Meta infostealers. RedLine and its improved version, Meta, were distributed by affiliates through various methods, such as phishing emails, malvertising, and fake software downloads. As part of the coordinated effort, called Operation Magnus, authorities hacked into the infostealers’ servers and disrupted their infrastructure, preventing further exfiltration of victim data. Two arrests were initially made by the Belgian police. One of those arrests was of a suspected infostealer customer who remains in police custody. No other details were released about the other detainee, other than that they were released. In tandem, the U.S. announced charges against Maxim Rudometov for allegedly developing RedLine and administering its infrastructure. Stealer malware is known to be used by threat actors with various levels of sophistication. Advanced actors have distributed them as a reconnaissance tool to steal credentials and perform further nefarious activity, such as delivering ransomware, while aspiring cybercriminals rely on stealers to harvest and sell the credentials to other actors. [The Hacker News / TechCrunch]

↘️ The China-sponsored Evasive Panda hacking crew has debuted CloudScout, a previously undocumented post-compromise toolset that retrieves data from various cloud services by leveraging stolen web session cookies. “The professional design behind the CloudScout framework [...] demonstrate[s] Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations,” ESET said. [The Hacker News]

↘️ Back in July, Guardio detailed a technique called called EchoSpoofing that allowed attackers to successfully send spoofed emails by redirecting them through a virtual SMTP server, Office365 Exchange Online server, and Proofpoint’s SMTP relay service. This path provided the fraudulent messages a means to pass standard authentication checks. Now, Amazon and Microsoft have detailed the measures they have put in place to prevent such attacks from happening. [AWS / Microsoft]

↘️ A fresh browser attack named CrossBarking has been disclosed in the Opera browser that compromises "private" application programming interfaces (APIs) to allow unauthorized access to sensitive data. The attack works by using a malicious browser extension to run malicious code in the context of sites with access to those powerful, private APIs. These sites include Opera’s own as well as third-party domains such as Instagram, VK, and Yandex. [The Hacker News]

↘️ A Russia-aligned influence operation — codenamed Operation Overload (aka Matryoshka and Storm-1679) — has been observed leveraging a combination of fake news, fact-checking sites, and AI-generated audio to manipulate public opinion by impersonating trusted media organizations and undermine trust in the U.S. election process. “This campaign primarily targets media outlets, fact-checkers, and researchers, aiming to overwhelm investigative resources and insert false narratives into mainstream discourse, but also directly targets the general public,” Recorded Future said. [Recorded Future]

↘️ New research has found that several Secure Web Gateways (SWGs) can be bypassed by attackers to deliver malware without getting flagged. Called Last Mile Reassembly Attacks (LMR), they work by assembling the malicious components directly in the victim's browser from seemingly non-malicious data. Threat actors could exploit the fact that SWGs don’t support the inspection such as WebRTC, WebSockets, WebTransport, and gRPC to transmit malware using these channels. Alternatively, they could also package the malware within SVG, CSS, or JavaScript, and smuggle them to the victim machine, from where a client-side JavaScript code can extract the module and launch the malware. “This means that the attack payload is not fully formed until it reaches the final stage (the ‘last mile’) — the victim’s browser—bypassing traditional network-based detection mechanisms used by cloud proxies, including Secure Web Gateways (SWGs),” SquareX said. [SquareX]

↘️ New research has found that an off-the-shelf millimetre wave sensor can pick out the tiny vibrations made by a smartphone's speaker, enabling an AI model to transcribe the conversation, even at a distance in a noisy room. [New Scientist]

↘️ Last month, panic ensued after reports that scientists in China had discovered a breakthrough in quantum computing attacks that posed a substantial threat to “military-grade encryption.” In reality, however, the study turned out to be a way to use D-Wave-enabled quantum annealing to find integral distinguishers up to 9-rounds, which are crucial to key recovery attacks targeting block ciphers. “The media coverage of the recent Chinese quantum research on encryption attacks seems to sensationalize the findings, creating fear, uncertainty, and doubt,” Avesta Hojjati, head of R&D at DigiCert, said. “While the research shows quantum computing's potential threat to classical encryption, the attack was executed on a 22-bit key—far shorter than the 2048- or 4096-bit keys commonly used in practice today. The suggestion that this poses an imminent risk to widely used encryption standards is misleading. This research, while intriguing, does not equate to an immediate quantum apocalypse. We are still far from a practical attack that can threaten real-world encryption systems, especially with the current state of quantum computing. The coverage may serve as a cautionary tale, but it exaggerates the timeline and feasibility of quantum threats to make for a more dramatic story. While the research advances discussion on quantum readiness, we should remain cautious but not alarmist.” [Ars Technica / Forbes / Dark Reading]

↘️ Chipmaker Intel has pushed back against claims from the Cybersecurity Association of China (CSAC) that it embeds backdoors into its CPUs as part of a “next-generation security defense system.” The use of Intel products poses a serious risk to national security, it added. In response, the company said: “Intel always puts product safety and quality first and has been actively working with customers and the industry to ensure product safety and quality. We will maintain communication with relevant departments to clarify relevant questions and demonstrate our firm commitment to product safety and quality.” CSAC’s call for an extensive evaluation of Intel’s systems comes amid growing geopolitical tensions between China and the U.S. [Reuters]