InfoSec Weekly

July 03, 2023

Table Of Contents

Beware: New ‘Rustbucket’ Malware Variant Targeting macOS Users

Description

Researchers have discovered an updated version of the Apple macOS malware called Rustbucket. This variant, attributed to the North Korean threat actor BlueNoroff, exhibits improved persistence capabilities and employs a dynamic network infrastructure for command-and-control. Rustbucket was initially identified as an AppleScript-based backdoor, capable of retrieving a second-stage payload from a remote server. The second-stage malware, compiled in Swift, downloads the main Rust- based binary from the command-and-control server. A .NET version of Rustbucket with similar features has also been observed. The attacks primarily target finance-related institutions in Asia, Europe, and the U.S., indicating a focus on illicit revenue generation. The malware utilizes a backdoored PDF reader and employs phishing emails and bogus social media profiles for initial intrusion. The newly identified version establishes persistence by creating a plist file and copying the binary to specific paths on the compromised system.

Infected Technology

Apple macOS

Source

https://thehackernews.com/2023/07/beware-new-rustbucket-malware-variant.html

Recommendation

• Keep macOS systems updated. • Deploy robust endpoint protection solutions. • Provide user awareness training on phishing and social engineering. • Implement email filtering to block malicious attachments. • Use application whitelisting to control authorized software. • Monitor network traffic for unusual patterns.


New JokerSpy Malware Targets MAC OS

Description

A new malware JokerSpy which effects macOS has been found exploiting devices across organizations. Once a device is infected, the malware connects to a C2 server and then proceeds further according to the response from the server. It creates a reverse shell and a backdoor through which the attacker can access the victim’s machine. Various victim device data such as the path to the backdoor python script along with the python version, hostname, username, domain name, OS version etc. are sent periodically to the attacker. Furthermore, within the malware’s construction, a hidden “xcc” binary was also found which contains Mach-O for x86 Intel and ARM M1 architectures. The malware was found to be collecting data related to the victim’s behaviors such as device idle time (last use of keyboard, mousepad etc.), active (frontmost) app, screen status (locked or unlocked), full disk access, screen recoding access and accessibility permission of the active app etc.

Infected Technology

Intel and Apple Silicone Macs (x86 Intel and ARM M1 architectures)

Source

https://cybersecuritynews.com/jokerspy-macos-malware/

Recommendation

• Keep the macOS up to date which will provide new and consistent security fixes. • Exercise good online hygiene when surfing the web. • Do not open malicious links or emails. • Download files only from trusted sites. • Use security options provided by some browsers like Brave when browsing the web which will ensure secure browsing.


200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin

Description

Tracked as CVE-2023-3460 (CVSS score of 9.8), the recently identified security defect in Ultimate Member allows attackers to add a new user account to the administrators group. Due to the difference in operation between the plugin and WordPress, attackers were able to trick the plugin into updating metadata keys, including one that stores user role and capabilities, WPScan explains. The company provides indicators of compromise (IoCs) associated with the observed attacks. This has allowed attackers to register user accounts with the administrator role, and at least two site owners have observed and reported the suspicious activity. The plugin’s maintainers, who describe the issue as a privilege escalation bug, have attempted to address it in the last two versions of Ultimate Member, but they have reportedly failed to fully patch it. However, they did acknowledge the ongoing in-the-wild exploitation.

Infected Technology

WordPress Site with ‘Ultimate Member’ Plugin

Source

https://www.securityweek.com/200000-wordpress-sites-exposed-to-attacks-exploiting-flaw-in-ultimate-member-plugin/

Recommendation

• Implement the least privilege principle for user roles. • Monitor site activity for unusual behavior. • Use reputable security plugins or firewalls.


Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now

Description

Fortinet, a leading network security solutions provider, has resolved a critical Remote Code Execution (RCE) vulnerability affecting its FortiGate SSL VPN devices. This flaw could allow attackers to execute arbitrary code on vulnerable systems, leading to a complete compromise of the devices. Fortinet responded swiftly by releasing security patches and firmware updates to address the vulnerability, urging all users to apply them immediately. Prompt patching and adherence to security best practices, such as strong passwords and regular updates, are essential to mitigate the risk and maintain a robust security posture. The critical RCE vulnerability in FortiGate SSL VPN devices could enable attackers to execute arbitrary code with elevated privileges. Exploiting this flaw could lead to unauthorized access, tampering with network configurations, and potential data breaches. Fortinet’s proactive response included the release of security patches, firmware updates, and recommendations for users to promptly apply them. Organizations utilizing FortiGate SSL VPN devices must prioritize patching and follow security best practices to protect their networks from potential exploitation and ensure a secure environment.

Infected Technology

Fortinet Products

Source

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/

Recommendation

• Patch and update immediately

CVE ID

CVE CVE-2023-28299

FluHorse: Flutter-Based Android Malware Emerges, Targeting Mobile Devices

Description

In a concerning development for mobile device users, security researchers have recently uncovered a new Android malware called FluHorse. This sophisticated malware, developed using the Flutter framework, poses a significant threat to Android devices, compromising user privacy and device security. Understanding the nature of this emerging threat is crucial for Android users to protect themselves from potential harm. FluHorse leverages the cross-platform capabilities of the Flutter framework, which is popular for developing visually appealing and high-performing mobile applications. By exploiting this framework, malware gains the ability to infect a wide range of Android devices, putting millions of users at risk. The malware operates stealthily, avoiding detection and remaining hidden within legitimate-looking applications.

Infected Technology

Android devices running Flutter applications.

Source

https://thehackernews.com/2023/06/fluhorse-flutter-based-android-malware.html

Recommendation

• Download and install applications from trusted sources, such as the official Google Play Store. • Avoid sideloading apps from third-party websites or unofficial sources, as they may contain malicious code.



call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us