Ankura CTIX FLASH Update - May 7, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Cybersecurity Researchers at Kandji have discovered a Mach-O binary malware built to infect both Intel and ARM-based MacOS systems. Cuckoo is being distributed by websites...
United States Technology
To print this article, all you need is to be registered or login on Mondaq.com.

Ransomware/Malware Activity

Cuckoo InfoStealer Malware Targets MacOS Systems

Cybersecurity Researchers at Kandji have discovered a Mach-O binary malware built to infect both Intel and ARM-based MacOS systems. Cuckoo is being distributed by websites that claim to provide applications designed to rip music from streaming services into MP3 format. The malicious binary is named "upd" and is not signed with a developer ID, which means victims would need to ignore MacOS's Gatekeeper security warning to allow execution. Once the malware is allowed to run, it performs a locale check to ensure the infected device is not in Armenia, Belarus, Kazakhstan, Russia, or the Ukraine and then installs LaunchAgent for persistence. This is a technique seen in many previous MacOS malware families. Cuckoo is designed to steal as much information from the victim machine as possible. The malware also leverages osascript to display fake password prompts to trick victims into entering system password information. Cuckoo is capable of taking screenshots and harvesting data from iCloud Keychain, web browsers, cryptocurrency wallets, and applications such as Telegram and Discord. Stolen data is sent back to the attackers' Command-and-Control (C2) server. This new malware variant serves as a reminder that MacOS systems are not impervious to attacks and that defenders should equip MacOS assets with appropriate security tooling such as next-gen antivirus. In addition, end users should vet software or applications prior to downloading, and organizations should maintain guardrails around end users' capability to download executables from the internet. CTIX analysts will continue to report on emerging and evolving strains of malware and associated campaigns.

Threat Actor Activity

North Korean-linked APT43 Phishing Campaign Exploits DMARC Email Policies

The U.S. Government, through a collaborative effort between the NSA, FBI, and State Department, has issued a warning about an ongoing cyber espionage campaign orchestrated by the APT43 North Korean-linked threat actors, also known as Kimsuky or Emerald Sleet. APT43, having been around since at least 2012, has links to North Korea's main military intelligence organization, the US-sanctioned Reconnaissance General Bureau (RGB), and is more properly known for their intelligence collections and espionage activities. The APT43 campaign has been ongoing since the end of 2023, and seeks to exploit vulnerabilities in email security systems, specifically targeting the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies. By manipulating these security weaknesses, the attackers can send spear-phishing emails that appear to originate from legitimate and trusted sources, giving them the ability to pose as journalists, academics, or other experts in East Asian affairs. Their focus is gathering intelligence related to geopolitical events, foreign policy strategies, and other areas of interest to the Democratic People's Republic of Korea (DPRK). The group employs sophisticated social engineering and impersonation tactics to build trust with their targets over time, as part of a broader strategy to collect sensitive information without necessarily resorting to malware or credential harvesting, often by soliciting opinions or analyses directly from the targets. The campaign's success is partly due to the exploitation of entities that have either not enabled or improperly configured their DMARC policies, allowing these phishing emails to bypass traditional security checks. Per the advisory, CTIX analysts advise organizations to update their DMARC policies so that their email servers quarantine or block emails that fail DMARC checks, especially US or South Korean entities with individuals working on matters related to North Korea, Asia, China, or Southeast Asia, and more specifically individuals who are government officials and military members.

Vulnerabilities

"Dirty Stream" Attack Leaves Billions of Android Devices Susceptible to Compromise

Microsoft researchers have uncovered a new attack named "Dirty Stream" caused by a common security vulnerability affecting numerous Android applications, including some with over 500 million installations each, leaving them susceptible to remote code execution (RCE) attacks and token theft. The weakness lies in Android's file-sharing mechanism, specifically the content provider feature, which doesn't always validate content received from other applications. This oversight allows malicious applications to manipulate filenames, potentially compromising receiving-applications when they process the files. Microsoft has alerted Google, and both have offered guidance to developers on remediation. Xiaomi's File Manager and WPS Office were among the affected applications which have been subsequently patched. Microsoft warns of potentially more vulnerable applications in the future. CTIX analysts urge readers to update their applications and download only from trusted sources.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Ankura CTIX FLASH Update - May 7, 2024

United States Technology

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More