North Korean Hackers, Fake Subpoenas, Crypto Laundering, ML Toolkit Flaws, and AndroxGh0st Malware

Notable news for the week of November 4th through November 11th.  Your editor this week is Chris from the F5 Security Incident Response Team.  For this edition we have MacOS users being targeted by North Korean hackers, warnings from the FBI of increases in hacked emails and fake subpoenas, sentencing of a crypto laundering kingpin, ML toolkit security flaws, and a malware using botnets to target IoT devices as well as cloud services. 

 

North Korean Hackers Target MacOS Users 

New research from SentinelOne shows that the BlueNoroff hacking team was found to be carrying out a phishing campaign with fake news headlines or stories about crypto-related topics. BlueNoroff has been documented as a sub-group within North Korea's Lazarus APT operation. These phishing emails were targeted at decentrilized finance and cryptocurrently businesses. They are embedding malicous macOS applications disguised as a link to a PDF document. The link will have topic titles such as "Hidden Risk Behind New Surge of Bitcoin Price" and "Altcoin Season 2.0-The Hidden Gems to Watch". The campaign, called 'Hidden Risk', will also abuse the 'zshenv' configuration file to maintain persistence while bypassing macOS Ventura's notifications for idem modification. The macOS malware is written in Swift and named to match the embedded PDF document. The tricky part about this is that the application is signed by a legitimate Apple Developer ID, later revoked, and when ran actually opens a decoy PDF file from a Google Drive link to help avoid suspicion. To the victim it will just look like the PDF opened. SentinelOne researcher also noticed that the malware would download and execute a malicous x86-64 binary from a hard-coded URL. Using exceptions in its info.plist file it will bypass security features. It was also observed that the malware will establish communication with a command-and-control server. BlueNoroff specializes in funding the North Korean regime by targeting banks and cryptocurrency exchanges. 

https://www.securityweek.com/north-korean-hackers-target-macos-users-with-fake-crypto-pdfs/ 

 

FBI Warns of Spike in Hacked Emails and Fake Subpoenas 

The FBI has been reaching out to governments and police departments around the world to warn them about a recent rise in malicious actors using hacked police email accounts to send out fake subpoenas and data requests to U.S. based tech companies. In the U.S., when law enforcement agencies want to obtain information regarding accounts at technology providers, they have to submit a court ordered warrant or subpoena. Using the hacked email accounts, they are forging these warrants or subpoenas to try and trick companies into complying. They are also using Emergency Data Requests (EDRs) which are used when people are at risk of harm or death to get them processed faster and possibly bypassing the need for a subpoena. It is difficult for the company to quickly determine if the request is legitimate or not which puts them in a bad place, having to reply quickly. Verizon, for example, recently revealed in its latest transparency report that it received more than 127,000 law enforcement demands for data in the second half of 2023 which included more than 36,000 EDRs. They stated that they provided records to 90% of them. Cybercriminals have been selling EDR services on criminal forums for multiple countries for years meaning that this is not a new activity happening but an uptick in an issue that has already been happening. 

https://krebsonsecurity.com/2024/11/fbi-spike-in-hacked-police-emails-fake-subpoenas/ 

 

Crypto Laundering Kingpin Sentenced to 12.5 Years in Prison 

Roman Sterlingov, 36, has been sentenced to 12 years and six months in U.S. prison. He is the operator of the longest ran money laundering machine in dark web history, Bitcoin Fog. Along with the sentencing, he was ordered to repay more than a half billion dollars that were accrued from the cryptocurrency mixing service that was ran between 2011 and 2021. He faced a maximum sentence of 50 years when he was first found guilty back in March. On top of money laundering, the crimes that were found associated with his activity included drug sales, computer misuse, identify theft, and child sex abuse material (CSAM). There are many cryptocurrency mixers available to criminals so this will not put an end to the use of them but does show that they can be taken down when used illegally.  

https://www.theregister.com/2024/11/11/bitcoin_fog_sentencing/ 

 

Security Flaws in Popular ML Toolkits Enable Server Hijacks and Privilege Escalation 

Researchers have found around 2 dozen security flaws throughout 15 different maching learning related projects. These are found on both the client-side and server-side as stated by security firm JFrog last week. They stated that the server-side weaknesses "allow attackers to hijack important servers in the organization such as ML model registries, ML databases, and ML pipelines". Exploiting an ML pipeline can be extremely severe since they have access to ML Datasets, ML Model Training, and ML Model Publishing. Poisoning a training model could have huge ramifications to an organization not to mention the information they could gain from the dataset. One project that aims to fight against this is a defensive framework named Mantis. This leverages prompt injection as a way to counter the attacker's large language models (LLMs). This has been found to have 95% effectiveness. Mantis can inject crafter responses which can disrupt the attacker's operations or even compromised the attacker's system. The best part about this is the victim can in turn become the attacker. 

https://thehackernews.com/2024/11/security-flaws-in-popular-ml-toolkits.html 

 

AndroxGh0st Malware Uses Botnet to Target IoT and Cloud Services 

The creators of AndroxGh0st are now exploiting a larger set of security flaws which affect various internet applications. They have also set it to deploy the Mozi botnet malware which uses remote code execution and credential-stealing to maintain access and use unpatched vulnerabilities to further infiltrate infrastructures. AndroxGh0st targets Laravel applications to gather sensitive data for services like AWS, SendGrid, and Twilio. Originally, in 2022, it used these flaws to gain access, escalate privileges, and create persistence: 

    CVE-2021-41773  Apache 

    CVE-2018-15133  Laravel Framework 

    CVE-2017-9841    PHPUnit 

According to the latest analysis from CloudSEK, there has been an increase added to the vulnerabilities that the malware is now using to include: 

    CVE-2014-2120    Cisco ASA 

    CVE-2018-10561  Dasan GPON 

    CVE-2018-10562  Dasan GPON 

    CVE-2021-26086  Atlassian Jira 

    CVE-2021-41277  Metabase GeoJSON 

    CVE-2022-1040    Sophos Firewall 

    CVE-2022-21587  Oracle EBS 

    CVE-2023-1389    TP-Link Archer AX21 

    CVE-2024-4577    PHP CGI

    CVE-2024-36401  GeoServer 

The botnet will cycle through common admin credentials and then redirect to the admin dashboard for WordPress sites at /wp-admin/. There has also been exploitation of unauthenticated flaws in Netgear DGN and Dasan GPON device to drop the 'Mozi.m' malware payload. This is another well known botnet that strikes IoT devices to use in DDoS attacks. AndroxGh0st appears to be leveraging Mozi's ability to propagate to include more IoT devices into its grasp. This leads to the question of whether both malwares are under the control of the same group. 

https://thehackernews.com/2024/11/androxgh0st-malware-integrates-mozi.html

Published Nov 13, 2024
Version 1.0
f5 sirt
Security
twis
No CommentsBe the first to comment