Apple's emergency patch, AI-generated art and more security headlines from the past week.

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

**The one big thing**

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

**Why do I care?**

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."

**So now what?**

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review \[Apple’s\] advisories and apply the necessary updates.”

**Top security headlines of the week**

The self-identifying hacktivist group “Anonymous Sudan” is **more active than initially thought.** While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

**The list of companies affected by the MOVEit breach continues to grow.** Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

**The FBI seized the domain belonging to the infamous hacking site BreachForums,** three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

**Can’t get enough Talos?**

*   Service overview: Talos Incident Response purple team
*   Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
*   Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

New video provides a behind-the-scenes look at Talos ransomware hunters

Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.

**Paceart Optima System Application Security Update**

**Summary**

Medtronic has identified a vulnerability in an optional messaging feature in the Paceart Optima cardiac device data workflow system. This feature is not configured by default, and it cannot be exploited unless enabled. As a precautionary measure, Medtronic is notifying customers that if exploited, this vulnerability could result in a healthcare delivery organization’s Paceart Optima system’s cardiac device data being deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration.

Healthcare delivery organizations should work with Medtronic Paceart technical support to install an update to the Paceart Optima application to eliminate this vulnerability from the Paceart Application Server. This security bulletin also includes immediate, temporary steps for a healthcare delivery organization to take to prevent the exploitation of this vulnerability.

**Products impacted**

Paceart Optima™ is a software application that runs on a healthcare delivery organization’s Windows server. The application collects, stores, and retrieves cardiac device data from programmers and remote monitoring systems from all major cardiac device manufacturers to aid in standard workflows. The Paceart Optima product consists of multiple components that work together to deliver product functionality. This vulnerability impacts the Application Server component.

Versions affected:

*   Paceart Optima application versions 1.11 and earlier 

**Vulnerability Overview**

**At this time, Medtronic has not observed any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to this issue.**

During routine monitoring, Medtronic identified a vulnerability in the optional Paceart Messaging Service within the Paceart Optima system, specifically in the Paceart Messaging Service’s implementation of the Microsoft Message Queuing Protocol. The Paceart Messaging Service enables healthcare delivery organizations to send fax, email, and pager messages within the Paceart Optima system.

If a healthcare delivery organization has enabled the optional Paceart Messaging Service in the Paceart Optima system, an unauthorized user could exploit this vulnerability to perform Remote Code Execution (RCE) and/or Denial of Service (DoS) attacks by sending specially crafted messages to the Paceart Optima system. RCE could result in the Paceart Optima system’s cardiac device data being deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration. A DoS attack could cause the Paceart Optima system to become slow or unresponsive.

The vulnerability is present in Paceart Optima system versions 1.11 and earlier.

**Recommended Actions****Immediate Mitigation Actions:**

_If you have a combined Application and Integration Server, contact Medtronic Paceart Optima system technical support for immediate mitigation actions. All other configurations, follow the steps below._

The vulnerable code will still be present in the application, but will no longer be exploitable.

Step 1: Manually disable the Paceart Messaging Service on the Application Server. 

1.  Open the ‘Windows Services’ application
2.  Find the ‘Paceart Messaging Service’
3.  Right-click the ‘Paceart Messaging Service’ and select ‘Properties’
4.  Select ‘Stop’ to stop running the service and change the startup type to ‘Disabled’
5.  Select ‘Apply’

Step 2: Manually disable message queuing on the Application Server. 

1.  Open server manager
2.  Select ‘Add roles and features’
3.  Select ‘Start the Remove Roles and Features Wizard’
4.  Before you begin – next
5.  Server selection – next
6.  Server roles – next
7.  Features section – take action. Select the black box next to Message Queuing
8.  When the window pops up select ‘Remove Features’ button
9.  Select ‘next’
10.  Confirmation – select ‘Remove’

As long as the Paceart Messaging Service remains disabled, the vulnerability will remain mitigated.

**Long-term Remediation Action:**

For a complete mitigation on the Application Server, update the Paceart Optima system to version 1.12. This update removes the Paceart Messaging Service function and fully remediates the vulnerability on the Application Server. To schedule an update, please reach out to dl.paceartupdate@medtronic.com.

If you are a patient and are concerned about care delivery associated with the Paceart Optima system, please consult your care provider.

**For more information:**

Contact for more support: Medtronic Paceart Optima system technical support  
1-800-PACEART (722-3278)

**Additional Details:**

Cybersecurity professionals may find the following technical information useful for tracking and risk rating purposes:

\-       The vulnerability has been assigned a CVE number, CVE-2023-31222 

\-       The CVSS score for this vulnerability is 9.8.

**Definitions:**

_**Remote Code Execution**_ – Remote code execution (RCE) is a type of security vulnerability that allows attackers to run arbitrary code on a remote machine if connected to it.

_**Denial of Service Attack**_ - A DoS is a type of cyberattack that is meant to shut down a machine, function or network, making it inaccessible to its intended users by consuming available resources with invalid activity. The most common DoS technique is to send invalid network requests that consume available network resources of an online service.

**_Exploit_ \-**An exploit is a program or methodology created to take advantage of a vulnerability in a system or product to gain unauthorized access or negatively affect proper operation.

**_Vulnerability_ –** A vulnerability is a weakness in systems, software or products that compromises security. A vulnerability allows people to perform bad actions on those same systems, software and products.

CVE-2023-31222: Paceart Optima System

The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that's been put to use by the actor since 2021.
Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion, an Israeli research institute, cybersecurity firm Deep Instinct said in a

The Iranian state-sponsored group dubbed **MuddyWater** has been attributed to a previously unseen command-and-control (C2) framework called **PhonyC2** that's been put to use by the actor since 2021.

Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion, an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News.

What's more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the ongoing exploitation of PaperCut servers.

"It is structurally and functionally similar to MuddyC3, a previous MuddyWater custom C2 framework that was written in Python 2," security researcher Simon Kenin said. "MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection."

MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyber espionage group that's known to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS) since at least 2017.

The findings arrive nearly three months after Microsoft implicated the threat actor for carrying out destructive attacks on hybrid environments, while also calling out its collaboration with a related cluster tracked as Storm-1084 (aka DEV-1084 or DarkBit) for reconnaissance, persistence, and lateral movement.

"Iran conducts cyber operations aiming at intelligence collection for strategic purposes, essentially targeting neighboring states, in particular Iran's geopolitical rivals such as Israel, Saudi Arabia, and Arabic Gulf countries, a continued focus observed in all operations since 2011," French cybersecurity company Sekoia said in an overview of pro-Iranian government cyber attacks.

Attack chains orchestrated by the group, like other Iran-nexus intrusion sets, employ vulnerable public-facing servers and social engineering as the primary initial access points to breach targets of interest.

"These include the use of charismatic sock puppets, the lure of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions," Recorded Future noted last year. "The use of social engineering is a central component of Iranian APT tradecraft when engaging in cyber espionage and information operations."

Deep Instinct said it discovered the PhonyC2 framework in April 2023 on a server that's related to broader infrastructure put to use by MuddyWater in its attack targeting Technion earlier this year. The same server was also found to host Ligolo, a staple reverse tunneling tool utilized by the threat actor.

The connection stems from the artifact names "C:\\programdata\\db.sqlite" and "C:\\programdata\\db.ps1," which Microsoft described as customized PowerShell backdoors used by MuddyWater and which are dynamically generated via the PhonyC2 framework for execution on the infected host.

PhonyC2 is a "post-exploitation framework used to generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the 'intrusion kill chain,'" Kenin said, calling it a successor to MuddyC3 and POWERSTATS.

Some of the the notable commands supported by the framework are as follows -

*   **payload**: Generate the payloads "C:\\programdata\\db.sqlite" and "C:\\programdata\\db.ps1" as well as a PowerShell command to execute db.ps1, which, in turn, executes db.sqlite
*   **droper**: Create different variants of PowerShell commands to generate "C:\\programdata\\db.sqlite" by reaching out to the C2 server and writing the encoded contents sent by the server to the file
*   **Ex3cut3**: Create different variants of PowerShell commands to generate "C:\\programdata\\db.ps1" -- a script that contains the logic to decode db.sqlite -- and the final-stage
*   **list**: Enumerate all connected machines to the C2 server
*   **setcommandforall**: Execute the same command across all connected hosts simultaneously
*   **use**: Get a PowerShell shell on a remote computer
*   **persist**: Generate a PowerShell code to enable the operator to gain persistence on the infected host so it will connect back to the server upon a restart

Muddywater is far from the only Iranian nation-state group to train its eyes on Israel. In recent months, various entities in the country have been targeted by at least three different actors such as Charming Kitten (aka APT35), Imperial Kitten (aka Tortoiseshell), and Agrius (aka Pink Sandstorm).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon

As cloud adoption grows, organizations need to rethink their approaches to securing hybrid cloud and multicloud environments.

Cloud technology is a powerful tool that facilitates collaboration among distributed workforces and allows businesses to quickly scale their digital workloads. According to a Microsoft survey, 95% of respondents said cloud technology was critical to their organizations' successes, and 86% planned to increase their investments in hybrid cloud and multicloud tech. 

However, cloud technology also comes with increased risks. The lack of visibility and coverage across hybrid and multicloud environments can make it difficult for security teams to identify and resolve risks. Security teams are also being asked to monitor fragmented tools across different clouds, which can make it difficult to create a unified view of their comprehensive security posture. 

Microsoft research from earlier this year found that 86% of surveyed decision-makers believed their current cybersecurity strategies were not sufficient to secure their multicloud environments. So how should organizations adapt their security approach?

**Create a Single-Pane-of-Glass View**

Cloud technology enables businesses to quickly scale their digital workloads because they are not constrained by managing physical devices or IT infrastructure. However, this agility can also make it difficult for them to keep track of their various workloads, data streams, and applications because they are scattered across a mix of different cloud platforms and on-premises locations. Securing a hybrid or multicloud environment requires organizations to have visibility and cross-platform control in a single-pane-of-glass view. That way they can visualize the security posture of multiple workloads at once, regardless of location.

**Use CNAPP For Code-to-Cloud Context**

For many organizations, security and compliance used to be distinct silos — making it difficult for development and security teams to protect applications in the cloud. More than half (54%) of enterprises do not integrate security into their DevOps pipelines, according to Microsoft's "Enterprise DevOps Report." Cloud-native application protection platforms (CNAPPs) integrate these silos into a single, easy-to-reference platform to help organizations secure and protect cloud-native applications.

Strong security hygiene means being able to monitor and remediate code within the same pane-of-glass view that organizations use to manage their overall cloud security posture. CNAPPs enable increased collaboration and integration between development and security teams while also reducing the possibility of code issues being moved into the cloud. By intaking all infrastructure-as-code scanning signals and combining them with data sensitivity, identity, and runtime intelligence, CNAPPs enable security teams to make recommendations and prioritize risks within the context of the entire hybrid or multicloud network.

**Fortify Security Hygiene With Threat Detection and Response**

Active threat detection is a critical component of securing the cloud environment against potential cybersecurity breaches. For example, organizations should examine the connections among applications, data stores, and workstreams to anticipate how threat actors could conceivably move through their environments to compromise operations.

When protecting workloads, it's critical that developers, security administrators, and security operations center analysts are all on the same page. It's also important that organizations take a cohesive, collaborative approach to cloud security by ensuring that all of the key players are working together to build security integrations that cover the full scope of your threat landscape. This can look like embedding anti-malware scanning tools into DevOps to ensure a company's code is protected against malware or preventing attackers from entering its network by hardening container security.

_— This article was written by Yuri Diogenes, a member of the Microsoft Security Team._

3 Tips to Increase Hybrid and Multicloud Security

A new version of the double-extortion group's malware reflects a growing trend among ransomware actors to expand cybercrime opportunities beyond Windows.

The fledgling Akira ransomware group is building momentum and expanding its target base, following other cybercriminal groups by adding capabilities to exploit Linux systems as part of a growing sophistication in its activity, researchers have found.

The gang, which emerged as a cybercriminal force to be reckoned with in April of this year, is primarily known for attacking Windows systems, and maintains a unique data-leak site designed as an interactive command prompt using jQuery.

However, the group — named for a 1988 Japanese anime cult classic featuring a psychopathic biker — is now shifting its tactics to target Linux, with a new version of its ransomware that can exploit systems running the open source OS, researchers from Cyble Research and Intelligence Labs (CRIL) revealed in a blog post published June 29.

This move both reflects Akira's evolution as well as a growing trend among ransomware groups, who now see the opportunity in exploiting the popularity of Linux across enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which are typically the back end for Internet of Things (IoT) devices and mission-critical applications.

"The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats," the researchers wrote in the post.

Indeed, the shift by Akira follows a move by other, more established ransomware — such as Cl0p, Royal, and IceFire ransomware groups — to do the same.

Akira is also expanding rapidly, having in just a few months already compromised 46 publicly disclosed victims — the majority of which are located in the US, the researchers said.

Victims span various industries, but the bulk of the victims have come from the education sector, followed close behind by manufacturing, professional services, BFSI, and construction. Other victims are scattered across assorted verticals, including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and other industries, they said.

Akira primarily is focused on compromising and stealing data from its victims using double-extortion tactics, threatening to leak data on the Dark Web if they don't pay the requested ransom.

**How Akira's Linus-Targeting Works**

The new Linux ransomware file infects systems in the form of a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, the researchers said. Upon execution, it uses the API function _GetLogicalDriveStrings()_ to obtain a list of the logical drives currently available in the system.

The malware then drops a ransom note in multiple folders with the file name "akira\_readme.txt," and proceeds to search for files and directories to encrypt by iterating through them using the API functions _FindFirstFileW()_ and _FindNextFileW()_.

The ransomware uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" libraries to encrypt the victim's machine using a fixed hardcoded base64 encoded public key, renaming encrypted files with the ".akira" extension. It also uses several functions from CryptoAPI in its encryption process, the researchers said.

Akira ransomware also includes an additional features that prevents system restoration using a PowerShell command to execute a WMI query that deletes the shadow copy, they added.

The dropped ransom note provides instructions to the victims for contacting Akira to negotiate terms for paying a ransom. The group often threatens victims with plans to leak the data on its ransomware site (aka double extortion), which indeed displays a list of victims that didn't pay and associated leaks of their data, the researchers said.

**How to Prevent & Mitigate Ransomware**

Researchers made a number of recommendations for how organizations can prevent and mitigate ransomware attacks. They include conducting regular backup practices and keeping those backups offline or in a separate network so that systems can be restored in case of attack, they said.

Organizations also should turn on the automatic software update feature on computers as well as other mobile and connected devices wherever possible and pragmatic, and use reliable and trusted antivirus and Internet security software package on all connected devices, the researchers advised.

As ransomware often hitches a ride on files spread through phishing attacks, corporate users also should refrain from opening untrusted links and email attachments without verifying their authenticity, they added.

The steps taken after a ransomware attack also have an impact on how extensive the damage to a network is. If ransomware is detected on an enterprise system, organizations should immediately detach infected devices on the same network, disconnect any connected external storage devices, and inspect system logs for suspicious events, the researchers added.

Newbie Akira Ransomware Builds Momentum With Linux Shift

Two Mideast nations that were at odds until recently have announced the "Crystal Ball" project, aimed at better protecting against cyberattacks via collaboration and knowledge sharing.

In a watershed moment for two once-fractious regional neighbors, the United Arab Emirates (UAE) and Israel are to work together on a threat intelligence-sharing platform to battle cybersecurity threats.

Announced this week, the “Crystal Ball” project is a digital platform for detecting and repelling hackers via collaboration and knowledge sharing around national-level cyberthreats. It was described as being enabled to "design, deploy and enable regional intelligence enhancement," according to a presentation slide seen during this week's Tel Aviv Cyber Week.

The project will be backed by Microsoft, Israel's Rafael Advanced Defense Systems, and Abu Dhabi's CPX, and an unspecified number of countries will also participate, according to The Circuit.

**The Need for a Joined-up Response**

Emirati cybersecurity chief Mohamed Al Kuwaiti said the platform will enable partner countries to "easily and seamlessly share information," and will be strengthened by the combination of the countries' joint abilities, processing power, and a high volume of data.

In an address to the Cyber Week conference, Al Kuwaiti said, "Cyber threats do not distinguish between nations, do not distinguish between entities or people, and that is why we need to unite against those threats. The Crystal Ball that we are aiming for the whole community will be the first step toward that."

Nadir Izrael, co-founder and CTO of Armis, says he welcomes the joint effort in the Middle East because he is "a strong believer that nations need to work together to develop a comprehensive and effective response to cyber warfare, in order to build a more secure and resilient world."

He adds: "As we saw with the cyberattacks on Israel this late April, coordinated efforts from groups associated with Iran and Russia are looking to increase geopolitical tensions and create instability amongst citizens. In a world that has become polarized, it is a must to invest in cybersecurity measures to protect whole nations from these kinds of attacks."

Izrael also noted that the Crystal Ball project should be a model for others. "Governments and organizations need to take threats seriously, and allocate resources to build robust and resilient cybersecurity systems," he says. "Those advanced systems will allow for threat intelligence, which can help detect malicious behavior and stop an attack even before it happens."

**Improved Diplomatic Relations**

Al Kuwaiti said the UAE's connection with Israeli tech companies has been especially helpful in his country's transition to a digital economy, after the UAE and Israel normalized diplomatic relations as part of the September 2020 Abraham Accords, leading to the bolstering of both commercial and strategic ties between the countries.

Ryan Westman, senior manager of threat intelligence at eSentire, says the collaboration of threat intelligence sharing between Israel and the UAE will be key to better securing the region. "In general, any information-sharing agreement will likely benefit organizations in the countries covered, as the more insights we have on threats and vulnerabilities to organizations, the better the job we can do at responding to those the risk those threats and vulnerabilities present," he says. "By sharing information on those threats and vulnerabilities, the easier it is for security teams to respond to the risks." 

He notes that while information sharing and analysis centers (ISACs) have existed for some time now and are not novel, the collaboration between two states that used to be at geopolitical odds is notable.

"Partnerships like this can have a wider impact, improving the security posture for everyone, because it makes it easier to detect potential issues in the wider threat landscape," he says. "Working together in this way benefits everyone, whether they are in the two countries concerned or in others within the region."

UAE, Israel Ink Pivotal Joint Cyber-Threat Intelligence Agreement

The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year.
"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report.
Also called Silent Chollima and Stonefly,

The North Korea-aligned threat actor known as **Andariel** leveraged a previously undocumented malware called **EarlyRat** in attacks exploiting the Log4j Log4Shell vulnerability last year.

"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report.

Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff) and other subordinate elements collectively tracked under the umbrella name Lazarus Group.

The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to carry out cyber crime as an extra source of income to the sanctions-hit nation.

Some of the key cyber weapons in its arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot.

NukeSped contains a range of features to create and terminate processes and move, read, and write files on the infected host. The use of NukeSped overlaps with a campaign tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) under the name TraderTraitor.

Andariel's weaponization of the Log4Shell vulnerability in unpatched VMware Horizon servers was previously documented by AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in 2022.

The latest attack chain discovered by Kaspsersky shows that EarlyRat is propagated by means of phishing emails containing decoy Microsoft Word documents. The files, when opened, prompt the recipients to enable macros, leading to the execution of VBA code responsible for downloading the trojan.

Described as a simple but limited backdoor, EarlyRat is designed to collect and exfiltrate system information to a remote server as well as execute arbitrary commands. It also shares high-level similarities with MagicRAT, not to mention written using a framework called PureBasic. MagicRAT, on the other hand, employs the Qt Framework.

Another characteristic of the intrusion is the use of legitimate off-the-shelf tools like 3Proxy, ForkDump, NTDSDumpEx, Powerline, and PuTTY for further exploitation of the target.

"Despite being an APT group, Lazarus is known for performing typical cyber crime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated," Kaspersky said. "Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hacker Group Andariel Strikes with New EarlyRat Malware

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2022-23264

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Tag

#microsoft