Web servers running on Windows Internet Information Service (IIS) are under attack and being exploited to spread malware. Lazarus is a North Korean government-run advanced persistent threat (APT) group. The cybercrime gang’s initial target was obtaining access to corporate networks; however, the group is now focusing on weakly protected and vulnerable IIS servers, hijacking them, and then distributing malware. The main incentive for breaching IIS servers is the effortless ability with which attackers can infect users whose services are hosted on these compromised servers of trustworthy organizations. Recently, Lazarus infiltrated South Korean financial security software with a compromised version of INISAFE CrossWeb EX V6. Then, to gain greater access to the system, Lazarus employed a privileged malware loader known as JuicyPotato. This tool gives attackers the ability to decode installed data files and process them into the memory while avoiding antivirus scanners.
(Source: BleepingComputer)
Five zero-day vulnerabilities (referred to as TETRA:BURST) were recently discovered in the emergency radio voice and data storage serviceTerrestrial Trunked Radio (TETRO). TETRO is utilized by law enforcement, fire departments, and the military all over the world. The system’s channels provide distinct key management, voice, and data encryption. TETRA Encryption Algorithm (TEA1) takes the encrypted algorithms and transmits them across the TETRO network. Midnight Blue Labs discovered these five vulnerabilities, two of which are critical.
The two critical vulnerabilities enable attackers to track law enforcement, listen in on discussions without raising any red flags, and modify critical infrastructure communications. CVE-2022-24401 allows attackers to receive any encrypted messages sent to a radio by targeting that channel. CVE-2022-24402 affects the TEA1 algorithm, which uses an 80-bit key. If an attacker performed a brute force attack on this 80-bit key, all conversations would be obtained without detection.
(Source: DarkReading)
A new AI bot called FraudGPT has been linked to the same attacker who developed WormGPT earlier this month. FraudGPT, like WormGPT, can be purchased on the dark web for spear phishing emails, cracking tools, and carding. However, FraudGPT is designed for short-term and large-scale attacks such as phishing, whereas WordGPT is used for long-term attacks involving malware and ransomware. Other threat actors can benefit if they pay a subscription for the tool. If they purchase, this will teach them how to present an extremely credible-looking email that contains malicious links.
(Source: SCMagazine)
A major flaw in the Mikrotik RouterOS operating system that was first identified in June 2022 continues to affect devices. Mikrotik’s CVE-2023-30799 severe vulnerability allows remote attackers to upgrade their admin accounts to super admin accounts discreetly. Attackers can gain full control of the entire RouteOS operating system and change the code path without any suspension. This flaw, which has already been detected on 926,000 devices, is said to be more enticing to attackers looking to jailbreak a network and change the operating system. Hackers need admin access to enter, but the system is pre-programmed to have admin access. Mikrotik advises users to update to the newest version of RouterOS because they do not believe this is the end of the attack.
(Source: TheHackerNews)
The hacking gang Lazarus, which was previously reported in this blog for breaching Microsoft’s web servers, has just carried out another successful campaign. The North Korean group stole $60 million from the cryptocurrency provider Alphapo. Initially, the group obtained $23 million from the payment provider and later acquired $37 million in TRON and BTC. Lazarus tricks employees at crypto firms into opening malicious files, infecting their systems, and causing them to lose account credentials. Lazarus has successfully stolen $617 million from the Axie Infinity robbery, $35 million from the Atomic Wallet heist, and $100 million from the Harmony Horizon attack over the past two years.
(Source: BleepingComputer)