Cyber Security Weekly Recap (20-26.Feb)

Cyber Security Weekly Review 20 26 Feb 1024x640

Apple Issues Security Alert for Three New Flaws in iOS and macOS

New vulnerabilities affecting iOS, iPadOS, and macOS have been added to Apple’s security advisories from last month.

CVE-2023-23520 is a race condition in the Crash Reporter component that could allow an attacker to read arbitrary files as root. Apple claims it has fixed the problem by applying additional validation.

The other two vulnerabilities (CVE-2023-23530 and CVE-2023-23531), discovered by the cyber security firm Trellix, are also located in the Foundation framework and can be exploited to execute arbitrary code.

Apple acknowledged the flaws and said it fixed them with “improved memory handling”.  On January 23, 2023, the iPhone maker released iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2, which addressed vulnerabilities ranging in severity from medium to high.

According to a report published by Trellix on Tuesday, the two vulnerabilities are part of a new class of bugs that enable malicious actors to bypass code signing and let them execute arbitrary code that could lead to escalation of privileges and sandbox escape on both macOS and iOS.

Over 50,000 Devices Are Infected Every Day With the MyloBot Botnet

Thousands of computers in India, the United States, Indonesia, and Iran have been infected by the sophisticated botnet MyloBot.

BitSight has reported that it is currently seeing more than 50,000 unique infected systems every day. The compromised machines are being used by the residential proxy service BHProxies, according to an analysis of MyloBot’s infrastructure.

Deep Instinct was the first to document MyloBot in 2018, highlighting its anti-analysis techniques and its capability as a downloader.

The ability of MyloBot to download and execute any type of payload after infecting a host is what makes it so dangerous, according to Lumen’s Black Lotus Labs.

Cybercriminals Spread Cryptocurrency Mining Malware via Trojanized macOS Applications

Cryptocurrency mining malware, called XMRig, is being distributed on macOS through tainted versions of legitimate applications.

According to the researchers at Jamf Threat Labs, who made the discovery, the XMRig coin miner was deployed via a malicious tweak to Apple’s Final Cut Pro.

Trend Micro reported on an earlier version of the campaign a year ago, noting that the malware used i2p to conceal network traffic and suspecting that it may have been delivered as a DMG file for Adobe Photoshop CC 2019.

In relation to the discovery, Apple has taken measures to counteract such abuse by requiring more stringent Gatekeeper checks for notarized apps in macOS Ventura, thereby preventing the launch of tampered apps.

The Lazarus Group Is Likely Using the New WinorDLL64 Backdoor to Steal Private Information.

New research reveals that the notorious North Korea-aligned Lazarus Group likely used a backdoor associated with a malware downloader called Wslink.

The payload, which ESET has labeled WinorDLL64, is a full-featured implant that can steal data, modify or delete files, run PowerShell commands, and discover a wide range of system details.

Other functions of the malware include session listing, process creation and termination, drive enumeration, and directory compression.

In October 2021, the Slovak cybersecurity company first documented Wslink, calling it a “simple yet remarkable” malware loader that could run received modules in memory.

According to ESET researcher Vladislav Hrka, the Wslink payload can be leveraged for lateral movement due to its specific interest in network sessions. The payload was initially submitted to the VirusTotal malware database from South Korea, where some of the victims are located.

A New Hacking Ring Called “Clasiopa” Is Going After Asian Materials Research Organizations

An unidentified threat actor employing new methods has specifically gone after Asian institutions involved in Materials Research.

Broadcom Software’s Symantec is keeping tabs on the cluster that is known by the name Clasiopa. While the hacking group’s background and affiliations remain a mystery, there are indicators that suggest the adversary may have roots in India.

Both the custom backdoor’s mention of “SAPTARISHI-ATHARVAN-101” and the ZIP archive’s “iloveindea1998_” password are examples of this. Saptarishi, which translates literally to “Seven sages” in Sanskrit, is a reference to a group of wise men and women held in high esteem in Hindu literature. The group’s methods of operation suggest that stealing sensitive data and remaining undetected on victim machines are its primary goals.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment