By the CyberWire staff
At a glance.
- US Justice Department charges alleged Snowflake hackers.
- FBI and CISA confirm Chinese hacking campaign targeting telecoms.
- Lazarus Group uses new technique to hide malicious code on macOS.
- Iranian and North Korean threat actors use phony job offers to deliver malware.
- Five Eyes agencies publish list of most frequently exploited vulnerabilities.
- Chinese threat actor compromises Tibetan websites.
- Amazon confirms third-party breach affecting employee contact info.
- Alleged Hot Topic breach affects nearly 57 million accounts.
US Justice Department charges alleged Snowflake hackers.
The US Justice Department has released its indictment of two individuals allegedly responsible for a string of breaches of Snowflake cloud storage accounts, CyberScoop reports. The Justice Department accuses Connor Moucka and John Binns of hacking at least ten organizations, including a "major telecommunications company located in the United States." While the indictment doesn't name specific victims, TechCrunch notes that the telecommunications company is almost certainly AT&T, which disclosed a major breach of phone and text message records earlier this year.
The Justice Department says the defendants worked with other co-conspirators to steal "billions of sensitive customer records" and received ransom payments totaling $2.5 million from at least three victims.
Moucka was arrested in Canada, while Binns was arrested in Turkey. They've been charged in the US District Court of Western Washington.
FBI and CISA confirm Chinese hacking campaign targeting telecoms.
The US FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that Chinese government hackers conducted a "broad and significant cyber espionage campaign" that compromised several US telecom companies, TechCrunch reports. The Wall Street Journal reported last month that the breached companies include AT&T, Lumen, and Verizon. The hackers targeted systems used by the Federal government to carry out court-authorized network wiretapping requests.
The FBI and CISA stated, "[W]e have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues."
Are You Confident in the Security of Your Remote and Hybrid Employees?
A remote or hybrid workforce expands your company's surface area of attack beyond corporate firewall boundaries. Employees’ personal computers introduce shadow IT, and home networks with default settings are easy targets, compounded by public Wi-Fi vulnerabilities. You need to develop a strategy to stay secure while remote employees work across untrusted networks. To learn how you can secure your company's workforce, get a free copy of the latest ThreatLocker® whitepaper on how to secure remote workforces.
Lazarus Group uses new technique to hide malicious code on macOS.
Group-IB has published a report on a new technique North Korea's Lazarus Group is using to conceal malicious code on macOS systems. The threat actor is smuggling code within custom extended attributes, which are metadata components for macOS files that "allow users to store additional information about a file beyond the standard attributes like file size, timestamps, and permissions." Group-IB discovered files that contain shellcode in the extended attributes, which is designed to deliver a new macOS trojan dubbed "RustyAttr."
The researchers note, "macOS systems provide some level of protection for the found samples. To trigger the attack, users must disable Gatekeeper by overriding malware protection. It is likely that some degree of interaction and social engineering will be necessary to convince victims to take these steps. However, this may not be the case for possibly other future samples that are properly signed and notarized, or coupled with macOS Gatekeeper bypasses."
Separately, researchers at Jamf are tracking new strains of macOS malware developed by suspected North Korean threat actors. One of the strains was made with Flutter, a software development kit from Google designed for creating cross-platform applications. The malware was embedded in an open-source Minesweeper game built with Flutter. Jamf notes, "Applications built using Flutter lead to a uniquely designed app layout that provides a large amount of obscurity to the code. This is due to the fact that code written into the main app logic using the Dart programming language is contained within a dylib that is later loaded by the Flutter engine."
Iranian and North Korean threat actors use phony job offers to deliver malware.
Palo Alto Networks' Unit 42 is tracking a cluster of North Korean IT workers responsible for launching phishing attacks using malware-infected video conference apps. The group exploited a US-based IT services company to apply for jobs in the US, and secured a position at a major tech company in 2022. The threat actor then targeted IT developers in the US with phony job offers, attempting to trick the job seekers into installing trojanized conference call installers. Unit 42 notes that this activity "highlights the IT workers’ shift from stable income-seeking activities to involvement in more aggressive malware campaigns."
A subgroup of the Iranian threat actor Charming Kitten is also using phony job offers to deliver malware, targeting individuals in the aerospace industry, according to researchers at ClearSky. The malware files were flagged by some security firms as belonging to North Korea's Lazarus Group, which ClearSky says suggests that "either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran."
Fortify Your Cybersecurity Against Modern-Day Outlaws with Cisco
In our free eBook, Attack Vectors Decoded: Securing Organizations Against Identity-Based Threats, we delve into the attacker’s playbook and arm you with the knowledge and tools to bolster your secure access. Learn how to build powerful, secure identity access that protects your business, your data, and your workers—no matter where they are. Download the eBook now and take the first step in modernizing and galvanizing your secure access against identity-based threats.
Five Eyes agencies publish list of most frequently exploited vulnerabilities.
CISA, the FBI, NSA, and other Five Eyes intelligence agencies have published a list of the fifteen most commonly exploited vulnerabilities over the past year, BleepingComputer reports. The agencies note, "In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day."
The list includes vulnerabilities affecting Citrix's NetScaler ADC/Gateways, Progress's MOVEit Transfer software, Atlassian's Confluence Data Center/Server, and Fortinet's FortiOS/FortiProxy SSL-VPN.
Chinese threat actor compromises Tibetan websites.
Recorded Future's Insikt Group says the Chinese threat actor TAG-112 compromised two Tibetan websites, Tibet Post and Gyudmed Tantric University, to deliver the Cobalt Strike attack tool. The researchers explain, "The attackers exploited vulnerabilities in the Joomla content management system (CMS) used by these sites to implant malicious JavaScript. This JavaScript prompted visitors to download a fake security certificate, which, when opened, deployed the Cobalt Strike payload."
The goal of the operation is likely cyberespionage.
Dropzone AI Named a Gartner Cool Vendor for the Modern SOC.
Dropzone AI has been recognized as a Gartner Cool Vendor, validating its role in transforming SOCs. With an AI SOC Analyst that autonomously investigates alerts 24/7, Dropzone AI helps security teams stay ahead by reducing alert fatigue and providing decision-ready insights. Discover how we're leading SOC innovation.
Amazon confirms third-party breach affecting employee contact info.
Amazon has confirmed that employee contact information was stolen last year during a breach involving the MOVEit file transfer system, the Register reports. The breach occurred at one of Amazon's vendors. An Amazon spokesperson stated, "Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations."
Alleged Hot Topic breach affects nearly 57 million accounts.
Have I Been Pwned (HIBP) warns that merch and clothing chain Hot Topic sustained a breach in October affecting nearly 57 million customer accounts, exposing email and physical addresses, dates of birth, partial credit card data, phone numbers, and purchases. The breach also affected Hot Topic's BoxLunch and Torrid customers.
HudsonRock published a report on the alleged breach last month, noting that a threat actor was demanding a $100,000 ransom to keep the data private. BleepingComputer says Hot Topic hasn't commented on the reported breach.
Crime and punishment.
A Chinese national, Daren Li, pleaded guilty in California to his involvement in laundering more than $73 million stolen through pig-butchering investment scams, the Record reports. Li was arrested in April at Hartsfield-Jackson Atlanta International Airport. He faces up to 20 years in prison.
The US Justice Department stated, "Li admitted that he conspired with others to launder funds obtained from victims through cryptocurrency scams and related fraud. In furtherance of the conspiracy, he communicated with his co-conspirators through encrypted messaging services. In order to conceal or disguise the nature, location, source, ownership, and control of the fraudulently obtained victim funds, Li would instruct co-conspirators to open U.S. bank accounts established on behalf of shell companies and would monitor the receipt and execution of interstate and international wire transfers of victim funds."
Courts and torts.
Court documents published on Thursday from WhatsApp's lawsuit against NSO Group show that the spyware vendor's Pegasus tool was used to target 1,400 WhatsApp users in 2019, the Record reports. The filing asserts that NSO used a zero-click exploit called "Eden" which went through WhatsApp's relay servers, rather than NSO's own servers. WhatsApp alleges that since the exploit abused the company's servers to infect its users, NSO was acting "in violation of federal and state law and the plain language of WhatsApp’s Terms of Service."
A WhatsApp spokesperson said the documents "[show] exactly how NSO’s operations violated U.S. law and launched their cyber-attacks against journalists, human rights activists and civil society." NSO Group hasn't responded to the Record's request for comment.