Cybergeddon for UK infrastructure.

Apr 21 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s blasting off like Starship #SpaceX

Today’s hottest cyber security stories:

  • NCSC predicts Cybergeddon for UK infrastructure
  • Lazarus Group resurrects malware in Operation Dream Job
  • Alibaba Cloud: Two fatal flaws found

CYBERANARCHY IN THE UK!

Listen up, ladies and gents, because the National Cyber Security Centre is getting all bent out of shape about some state-aligned groups trying to cause chaos in our ‘critical national infrastructure’ (here in the UK, that is)! So, you know, just your usual Wednesday shenanigans in the cybersphere.

The NCSC, a part of GCHQ, is warning that these mischievous groups are planning some seriously destructive attacks, and they’re not in it for the cash. Nope, they’re just in it for the fun of it! How unpredictable!

Apparently, these groups are big fans of Russia’s invasion of Ukraine (shocker!), and they’ve been causing trouble for the past year and a half. They’re like annoying party guests that never leave, right? Well, actually, they’re much worse than that…

What do the experts say?

Well, Dr Marsha Quallo-Wright, NCSC Deputy Director for Critical National Infrastructure, said:

“It has become clear that certain state-aligned groups have the intent to cause damage to CNI organisations, and it is important that the sector is aware of this.

“In the wake of this emerging threat, our message to CNI sectors is to take sensible, proportionate steps now to protect themselves.

“The NCSC has produced advice for organisations on steps to take when the cyber threat is heightened, and I would strongly encourage all CNI organisations to follow this now.”

Looks like the CNI organisations need to step up their game and follow the NCSC’s heightened threat guidance to strengthen their defences.

In other words, check yourself before you wreck yourself, because we do not want these cyber pranksters ruining our collective digital future!

TL;DR?

  • New alert from NCSC highlights risk to CNI from state-aligned groups – particularly those sympathetic to Russia’s invasion of Ukraine
  • Groups could launch ‘destructive and disruptive attacks’ with less predictable consequences than those of traditional cyber criminals
  • CNI organisations strongly encouraged to follow NCSC advice on steps to take when cyber threat is heightened

FIND YOUR ‘DREAM JOB’. ACTUALLY, DON’T

Hold onto your hats folks, because the notorious North Korea-aligned state-sponsored actor known as the Lazarus Group is at it again! Indeed, one might say, they’ve risen from the dead. Geddit? Not Christians, huh? Fair enough and to be honest the analogy isn’t so great because they never really went away; not for long, anyway!

This time, they’ve set their sights on Linux users in a new campaign called “Operation Dream Job”. ESET, a cybersecurity company, released a report today that exposed the ongoing shenanigans of these sneaky hackers.

What makes this attack especially noteworthy is that it’s the first time the Lazarus Group has used Linux malware as part of their social engineering scheme. Who says you can’t teach an old dog new tricks?

Operation Dream Job (AKA DeathNote or NukeSped) is just one of the many ways this crafty group uses fraudulent job offers to trick unsuspecting targets into downloading malware. This latest attack also overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star. Talk about a busy bunch!

Loose zips sink ships!

ESET uncovered the attack chain, which involves a fake HSBC job offer tucked away in a ZIP archive file. But don’t be fooled – the real payload is a Linux backdoor named SimplexTea, which is distributed via an OpenDrive cloud storage account.

These hackers may be sneaky, but they’re not exactly subtle!

ALIBABA COMES A CROPPER

Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL have some “BrokenSesame” issues! Sounds like the genie is out of the bottle. Always great to see that the cybersecurity community at large enjoys a pun as much as we do.

These critical flaws could potentially ‘open sesame’ the door to some sneaky hackers looking to breach tenant isolation protections and get their hands on sensitive data belonging to other customers. Yikes!

But wait, it gets better (or worse, depending on your perspective). Apparently, the vulnerabilities allowed for a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS.

This means an attacker could have some serious power to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorised access to the API server.

With that kind of access, the attacker could grab credentials from the container registry and push a malicious image, taking control of customer databases belonging to other tenants on the shared node.

Don’t just take our word for it!

A cloud security firm named Wiz said in a new report: “The vulnerabilities potentially allowed unauthorised access to Alibaba Cloud customers’ PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services.”

It’s Aladdin’s cave of wonders, but instead of kisses, you get kicked! Wait, wrong musical. Was Aladdin a musical? We digress.

To end on a rare positive note, the good news is the company deployed mitigations to these issues on April 12, 2023, so we can rest easy knowing that our sensitive data is (hopefully!) safe for now. Phew!

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he’s your Dawg, he got you.

MONDAY: Discord gaming communities watch out

TUESDAY: Aussies lose $3.1 billion in 2022

WEDNESDAY: 100 million downloads infected

THURSDAY: WhatsApp & Signal take on the UK’s online safety bill

footer graphic cyber security newsletter

Recent articles