Lazarus Group Expands Arsenal with Linux Malware in Operation Dream Job
The notorious North Korea-aligned Lazarus Group has extended its capabilities by incorporating Linux malware into a new campaign called Operation Dream Job, as reported by ESET. This marks the first publicly documented example of the adversary using Linux malware in a social engineering scheme. Operation Dream Job, also known as DeathNote or NukeSped, involves multiple attack waves where the group leverages fake job offers to trick unsuspecting targets into downloading malware. The operation also shares similarities with two other Lazarus clusters, Operation In(ter)ception and Operation North Star.
In the attack chain discovered by ESET, a fake HSBC job offer is delivered as a decoy within a ZIP archive file, which is then used to launch a Linux backdoor named SimplexTea, distributed via an OpenDrive cloud storage account. The exact method used to distribute the ZIP file is not known, but it is suspected to involve spear-phishing or direct messages on LinkedIn. The SimplexTea backdoor, written in C++, bears resemblance to BADCALL, a Windows trojan previously attributed to the Lazarus Group. ESET has identified commonalities between artifacts used in the Dream Job campaign and those found in the supply chain attack on VoIP software developer 3CX last month.
YouTube Videos Exploited to Distribute Aurora Stealer Malware Using Evasive Loader
Cybersecurity researchers have recently detailed the inner workings of an elusive loader named “in2al5d p3in4er” that delivers the Aurora information stealer malware. Aurora, a Go-based information stealer that emerged on the threat landscape in late 2022, is offered as a commodity malware to other threat actors. It is primarily distributed through YouTube videos and SEO-poised fake cracked software download websites. Clicking the links present in YouTube video descriptions redirects the victim to decoy websites where they are enticed into downloading the malware under the guise of a seemingly legitimate utility.
The loader, analyzed by Morphisec, is designed to query the vendor ID of the graphics card installed on a system, and compares it against a set of allowlisted vendor IDs (AMD, Intel, or NVIDIA). If the value doesn’t match, the loader terminates itself. The loader then decrypts the final payload and injects it into a legitimate process called “sihost.exe” using a technique called process hollowing. Alternatively, some loader samples allocate memory to write the decrypted payload and invoke it from there. The loader’s use of Embarcadero RAD Studio to generate executables for multiple platforms enables it to evade detection. The threat actors behind in2al5d p3in4er are leveraging social engineering methods for a high-impact campaign that employs YouTube as a malware distribution channel and directs viewers to convincing-looking fake websites to distribute the stealer malware.
Large-Scale Campaign Exploits Kubernetes RBAC for Cryptocurrency Mining
A significant attack campaign discovered in the wild exploits Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. The attackers, dubbed RBAC Buster by cloud security firm Aqua, have exploited 60 exposed K8s clusters so far. The attack chain commences with the attacker gaining initial access via a misconfigured API server. Once inside, the attacker checks for evidence of competing miner malware on the compromised server and then uses RBAC to establish persistence.
The attacker creates a new ClusterRole with near admin-level privileges, followed by the creation of a ‘ServiceAccount’ in the ‘kube-system’ namespace. Finally, the attacker creates a ‘ClusterRoleBinding’, binding the ClusterRole with the ServiceAccount to create a strong and inconspicuous persistence. In an intrusion observed against Aqua’s K8s honeypots, the attacker attempted to weaponize exposed AWS access keys to gain a foothold in the environment, steal data, and escape the confines of the cluster. The final step of the attack involves the threat actor creating a DaemonSet to deploy a container image hosted on Docker (“kuberntesio/kube-controller:1.0.1”) on all nodes. This container, which has been pulled 14,399 times in the past five months, contains a cryptocurrency miner.
Cisco and VMware Release Security Updates to Address Critical Flaws in Their Products
Cisco and VMware have released security updates to fix critical vulnerabilities in their products that could be exploited by malicious actors to execute arbitrary code on affected systems. The most severe of these vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which is located in the web UI component and results from improper input validation during Device Pack uploads. A successful exploit could enable an attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the affected device’s underlying operating system.
Cisco also addressed a medium-severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authenticated, local attacker could exploit to view sensitive information. Patches have been made available in version 1.11.3, with Cisco crediting an unnamed “external” researcher for reporting the two issues. Cisco has also fixed another critical flaw in the external authentication mechanism of the Modeling Labs network simulation platform (CVE-2023-20154, CVSS score: 9.1), which could allow an unauthenticated, remote attacker to access the web interface with administrative privileges.
VMware, in an advisory released on April 20, 2023, warned of a critical deserialization flaw affecting multiple versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8). An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. VMware Aria Operations for Logs 8.12 fixes this vulnerability along with a high-severity command injection flaw (CVE-2023-20865, CVSS score: 7.2) that could enable an attacker with admin privileges to run arbitrary commands as root. “CVE-2023-20864 is a critical issue and should be patched immediately,” the company advised.
Google Chrome Suffers Second Zero-Day Attack – Urgent Patch Update Released
Google has released an emergency patch to address another actively exploited high-severity zero-day flaw in its Chrome web browser. The flaw, tracked as CVE-2023-2136, involves an integer overflow in Skia, an open source 2D graphics library. Clément Lecigne of Google’s Threat Analysis Group (TAG) discovered and reported the flaw on April 12, 2023. The vulnerability allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Google has fixed this issue, along with seven other security issues in its latest update.
The company stated that it is aware of active exploitation of the flaw but has not disclosed additional details to prevent further abuse. This marks the second Chrome zero-day vulnerability to be exploited by malicious actors this year, following the patching of CVE-2023-2033 last week. It is unclear if the two zero-days have been chained together as part of in-the-wild attacks. Users are advised to upgrade to version 112.0.5615.137/138 for Windows, 112.0.5615.137 for macOS, and 112.0.5615 for Linux.