NK attacks drills, Android APK malware, space industry warning
North Korean hackers suspected of targeting S. Korea-US drills
A joint military exercise between South Korea and the U.S. is scheduled to start today, Monday and run through to August 31. Named the Ulchi Freedom Shield drills, this annual event has this year been attacked by hackers, strongly suspected of belonging to Kimsuky, a North Korean group, have attempted to disrupt the event by carrying out “continuous malicious email attacks” on South Korean contractors working at the allies’ war simulation center.” South Korean police and the US military confirm that the IP address used in this spearfishing attack matches one that the group used in a 2014 attack on a South Korean nuclear reactor.
Android malware apps use APK compression to evade detection
Security researcher Fernando Ortega from mobile security company Zimperium is describing a new technique for attacking Android devices by deploying Android Package (APK) files with unfamiliar or unsupported compression methods. To date, Zimperium has identified 3,300 artifacts in the wild that use compression algorithms in this way. 71 of the identified samples are able to be loaded on the operating system without any problems. Zimperium has found no evidence that these apps were available through the Google Play Store at any point in time, which suggests they arrive via untrusted app stores or techniques such as social engineering.
Juniper Networks patches J-Web flaws
Networking hybrid workforce and software manufacturer Juniper Networks has released an “out-of-cycle” security update to deal with vulnerabilities in the J-Web component of Junos OS. According to their published advisory, “by chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices.” The vulnerabilities have the sequential CVE numbers 2023-36844 through 36847 with a cumulative CVSS score of 9.8. Information on the patches and workarounds is available in their advisory. A link is available in the show notes to this episode.
Google Pixel phones gain certificate of authenticity
Pixel Binary Transparency is the name of a new technology from Google aimed at ensuring that the code within the operating system of a Pixel phone is as it should be. It joins Android’s Verified Boot feature as a technique to ensure that malware has not been inserted into the software code or that the code itself has not been tampered with during its lengthy supply chain process. It uses public cryptographic logs to illustrate what a Pixel installation should look like. New entries can be added to this log when new software is released, but they can’t be changed or deleted, meaning unauthorized edits will be visible.
领英推荐
Thanks to this week’s episode sponsor, Hyperproof
WinRAR flaw lets hackers run programs when RAR archives are opened
WinRAR is a file archiver utility for Windows that can execute commands on a computer simply by opening an archive. According to Bleeping Computer, “the flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.” It has a slightly lower CVSS score of 7.8 because it needs an end user to activate an archive. The vendor, RARLAB, released WinRAR version 6.23 on August 2nd?to mitigate the issue, and users are advised to update immediately.
Security agencies warn space industry of increased attacks
The FBI, the National Counterintelligence and Security Center (NCSC) and the Air Force Office of Special Investigations (AFOSI) jointly published an advisory on Friday warning of increased cyberattacks on the space industry related to its growing importance to the global economy. The advisory highlights how attempted cyberattacks on the U.S. space industry have mostly focused of the theft of proprietary data and intellectual property, but the agencies warn of growing adversarial interest in “collecting data from satellites, disrupting U.S. satellite communications and “degrading the United States’ ability to provide critical services during emergencies.”
(The Record?and?DNI.gov)
Illinois hospital in ransomware attack
Chicago-area Morris Hospital and Healthcare Centers is reporting a ransomware attack purportedly from the Royal ransomware group, although their announcement does not name any attacker. The attack was discovered on April 4, and may involve the PII and medical information of patients, as well as PII of employees and their families, adding up to a total of 250,000 people potentially affected. Royal is well known for continuing to attack hospitals even though this sector is considered off limits by many other gangs.
Last week in ransomware
One of the highlights of the ransomware beat last week was watching LockBit struggle with the challenges of scaling up, suffering problems leaking the data it claims to have stolen, due to bandwidth and storage issues. Germany’s national bar association was hit with ransomware, as was Morris Hospital in Chicago, as just mentioned. MOVEIt continues to make the news with Colorado warning of the theft of PII of 4 million people, and a new ransomware named Knight generated problems for TripAdvisor.