Jan 23 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that wants to know #WhatsApp with cybercriminals 👀🙈💀
Today’s hottest cybersecurity news stories:
🤏 NS-Stealer is on the hunt for your secrets via your browsers 🌐
⛩️ MavenGate could allow Java, Android hack-attacks via libraries 📚
🍜 N. Korean hackers weaponize fake research w/ RokRAT Backdoor🚪
Cybersecurity researchers have unearthed a sophisticated threat known as NS-STEALER. This Java-based information stealer deploys a Discord bot to slyly exfiltrate sensitive data from compromised hosts. 😱🔒
🕵️ Propagation Tactics
Disguised within ZIP archives as cracked software, the malware unfolds through a rogue Windows shortcut file, “Loader GAYve.” This shortcut serves as the gateway to unleash a malicious JAR file, creating a folder to stash stolen data called “NS-<11-digit_random_number>.”
📁 Data Harvesting
NS-STEALER goes beyond basic tricks, snagging screenshots, cookies, credentials, autofill data from various web browsers, system info, program lists, Discord tokens, Steam, and Telegram session data. The sophistication lies in its use of X509Certificate for authentication, enabling swift data theft through Java Runtime Environment.
📡 Exfiltration Channel
The captured intel finds its way to a Discord Bot channel, making the entire operation cost-effective for the threat actors.
🔄 Chaes Malware Update
Meanwhile, the Chaes (aka Chae$) malware creators roll out version 4.1, enhancing the Chronod module for pilfering login credentials and intercepting crypto transactions. The infection chains leverage Portuguese-themed email lures to trick recipients into activating Chae$ 4.1.
👾 Developer Messages
In an intriguing turn, the malware developers include messages within the source code, expressing gratitude to security researcher Arnold Osipov for aiding in software improvement. 🤝
💡 Stay Vigilant, Stay Updated
As threats evolve, fortify your defences against NS-STEALER and its counterparts. Regular updates and awareness are your best allies in the cyber battlefield!
🛡️ Secure Your Systems, Stay Informed
Dive into the details and fortify your cybersecurity measures to safeguard your data! 💻🔐
Signup for Free
Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
Who’s that knocking at the door…. A novel software supply chain attack dubbed MavenGate is targeting public Java and Android libraries, exploiting abandoned but still-used projects. 😱🔒
🛡️ Attack Methodology
Oversecured reveals that access to projects can be hijacked through domain name purchases. Due to vulnerabilities in default build configurations, it becomes challenging to detect these attacks. Successful exploitation could empower malicious actors to infiltrate dependencies, inject harmful code into applications, and even compromise the build process via a malicious plugin.
📱 Vulnerable Technologies
All Maven-based technologies, including Gradle, are susceptible to this attack. Reports have been sent to over 200 companies, including tech giants Google, Facebook, Signal, Amazon, and others.
🎯 Modus Operandi
The attacker targets expired reversed domains owned by dependency owners and gains access to groupIds. This is achieved by asserting rights through DNS TXT records in repositories where no account managing the vulnerable groupId exists. If the groupId is registered, attackers may contact the repository’s support team.
💡 Demonstration of the Attack
Oversecured demonstrated the attack by uploading a test Android library to Maven Central and JitPack, showcasing the ease with which an attacker can manipulate the dependency resolution in Gradle build scripts.
🛑 Detection Challenges
Most applications lack robust dependency signature checks, and libraries often do not publish digital signatures. This allows attackers to remain undetected by releasing new library versions with embedded malicious code.
🌐 Scope of Vulnerability
Out of 33,938 analysed domains, 18.18% were found vulnerable to MavenGate, giving threat actors the potential to hijack dependencies and introduce their code.
🔒 Response from Sonatype (Maven Central)
Sonatype contends that the outlined attack strategy is not feasible due to existing automation. It has disabled accounts associated with expired domains and GitHub projects, addressing a regression in public key validation processes. Plans are underway to collaborate with SigStore for component digital signatures.
🚀 Call to Action
The responsibility for security lies with end developers for both direct and transitive dependencies. Library developers should declare dependencies responsibly and include public key hashes. Vigilance is crucial!
🛡️ Secure Your Codebase, Stay Informed
Delve into the details and fortify your software supply chain defences against MavenGate! 💻🔐
🃏 The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” Good ol’ George Dubya 😂 Let us tell who’s not fooling around though; that’s the Crüe 👀 at Motley Fool. You’d be a fool (alright, enough already! 🙈) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! 🐛 Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets 🤑 (LINK)
🚵 Wander: Find your happy place. Cue Happy Gilmore flashback 🏌️⛳🌈🕊️ Mmmm Happy Place… 😇 So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)
🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ⚾👻🍿 (Great movie, to be fair 🙈). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty 😑). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho 😉 And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)
In December 2023, a new campaign orchestrated by the infamous ScarCruft targeted media organisations and North Korean affairs experts. This threat actor, also known as APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is suspected to be part of the Ministry of State Security (MSS), operating independently from Lazarus Group and Kimsuky. 😱💻
🔍 Modus Operandi
ScarCruft, associated with strategic espionage, is experimenting with fresh infection chains. In a notable move, it employed a technical threat research report as a decoy, likely targeting cybersecurity professionals and consumers of threat intelligence. 🕵️♂️📝
🎯 Noteworthy Targets
High-profile experts in North Korean affairs were singled out, with the attacker posing as a member of the North Korea Research Institute. The decoy involved a ZIP archive file containing presentation materials, harbouring two malicious Windows shortcut (LNK) files.
💼 Attack Techniques
The infection sequence mirrors a multi-stage approach used in a prior campaign, employing the RokRAT backdoor. The attackers are actively planning and testing their techniques, evident from malware like “intelligence.lnk” and “news.lnk” as well as shellcode variants delivering RokRAT. 🛡️💼
Some individuals targeted in this campaign were also identified as victims in a previous attack around November 16, 2023, showcasing the sustained and strategic nature of these cyber-espionage efforts.
ScarCruft’s adjustments in its tactics indicate an ongoing effort to evade detection, particularly following public disclosures about its methods. The threat actor remains dedicated to acquiring strategic intelligence, possibly seeking insights into non-public cyber threat intelligence and defence strategies.
By targeting media and experts, ScarCruft aims to gain a deeper understanding of international perceptions of developments in North Korea, contributing to the nation’s decision-making processes.
🛡️ Stay Vigilant, Stay Informed
Dive into the details and enhance your cybersecurity measures to guard against targeted attacks by sophisticated adversaries! 💻🔐
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.
Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree 🐒🌴 with his stick and banana approach 🍌😏
Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)
Let us know what you think!
So long and thanks for reading all the phish!