Unsafe Parsing of a PNG tRNS chunk in FastStone Image Viewer through 7.5 results in a stack buffer overflow.

CVE-2022-36947: FastStone Image Viewer - Powerful and Intuitive Photo Viewer, Editor and Batch Converter

Lazarus continues to expand an aggressive, ongoing spy campaign, using fake Coinbase job openings to lure in victims.

North Korean advanced persistent threat (APT) Lazarus is casting a wider net with its ongoing Operation In(ter)ception campaign, targeting Macs with Apple's M1 chip.

The state-sponsored group is continuing its favored approach of launching phishing attacks under the guise of fake job opportunities. Threat researchers at endpoint detection provider ESET warned this week that it discovered a Mac executable camouflaged as a job description for an engineering manager position at the popular cryptocurrency exchange operator Coinbase.

According to ESET's warning on Twitter, Lazarus uploaded the bogus job offer to VirusTotal from Brazil. Lazarus designed the latest iteration of the malware, Interception.dll, to execute on Macs by loading three files: a PDF document with the fake Coinbase job posting and two executables, FinderFontsUpdater.app and safarifontsagent, according to the alert. The binary can compromise Macs powered both with Intel processors and with Apple's new M1 chipset.

ESET researchers started investigating Operation In(ter)ception nearly three years ago when its researchers discovered attacks against aerospace and military companies. They determined that the campaign's primary goal was espionage, although it also found instances of the attackers using a victim's email account via a business email compromise (BEC) to complete the operation. The Interception.dll malware renders compelling but fake job offers to lure unsuspecting victims, often using LinkedIn.

The Mac attack is the latest in an ongoing barrage of efforts by Lazarus to accelerate Operation In(ter)ception, which has escalated in recent months. ESET published a detailed white paper on the tactic by Lazarus two years ago.

**Risk Mitigated by Apple**

Ironically, the appealing Coinbase job posting targets technically oriented people.

"We suspect that the attackers were in direct contact, so the victim was probably instructed to click whatever popup windows showed up in order to see the 'dream job' offer from Coinbase," Peter Kalnai, a senior malware researcher for ESET, explains to Dark Reading.

Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, Kalnai notes.

"The certificate has been revoked, so it's not possible to execute it until the user adds it to allowed applications," he said. "Only then this remains a threat when the attackers start to be convincing enough to trick the victim to overcome those obstacles with execution. Moreover, when the attackers approach their victim, they very likely verify that the certificate is not revoked, and in case it is, they may create a new, unrevoked certificate."

The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity.

Andrew Grotto, who served as the senior director for cybersecurity policy at the White House in both the Obama and Trump administrations, says North Korea has arisen from an aspiring antagonist into one of the most aggressive threat actors in the world.

"North Korea has been able to acquire skills that may be required to craft really fast," says Grotto, who is now director of the Center for International Security and Cooperation at Stanford University's program on geopolitics, technology and governance. "They quickly emerged as one of the top, if not the top, cyber operators when it comes to high-end potential crimes."

Mac Attack: North Korea's Lazarus APT Targets Apple's M1 Chip

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives -- which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction -- state that the user's account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

Scammers are using invoices sent through **PayPal.com** to trick recipients into calling a number to dispute a pending charge. The missives — _which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction_ — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport\[.\]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

PayPal Phishing Scam Uses Invoices Sent Via PayPal

FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php.

@@ -312,7 +312,7 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ if ($fax\_file\_extension != "pdf" && $fax\_file\_extension != "tif") { chdir($dir\_fax\_temp); $command = $IS\_WINDOWS ? '' : 'export HOME=/tmp && '; $command .= 'libreoffice --headless --convert-to pdf --outdir '.$dir\_fax\_temp.' '.$dir\_fax\_temp.'/'.$fax\_name.'.'.$fax\_file\_extension; $command .= 'libreoffice --headless --convert-to pdf --outdir '.$dir\_fax\_temp.' '.$dir\_fax\_temp.'/'.escapeshellarg($fax\_name).'.'.escapeshellarg($fax\_file\_extension); exec($command); @unlink($dir\_fax\_temp.'/'.$fax\_name.'.'.$fax\_file\_extension); } @@ -322,7 +322,7 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ chdir($dir\_fax\_temp);  
//convert pdf to tif $cmd = exec('which gs')." -q -r".$gs\_r." -g".$gs\_g." -dBATCH -dPDFFitPage -dNOSAFER -dNOPAUSE -dBATCH -sOutputFile=".correct\_path($fax\_name).".tif -sDEVICE=tiffg4 -Ilib stocht.ps -c \\"{ .75 gt { 1 } { 0 } ifelse} settransfer\\" -- ".correct\_path($fax\_name).".pdf -c quit"; $cmd = exec('which gs')." -q -r".$gs\_r." -g".$gs\_g." -dBATCH -dPDFFitPage -dNOSAFER -dNOPAUSE -dBATCH -sOutputFile=".escapeshellarg($fax\_name).".tif -sDEVICE=tiffg4 -Ilib stocht.ps -c \\"{ .75 gt { 1 } { 0 } ifelse} settransfer\\" -- ".escapeshellarg($fax\_name).".pdf -c quit"; // echo($cmd . "<br/>\\n"); exec($cmd); @unlink($dir\_fax\_temp.'/'.$fax\_name.'.pdf'); @@ -672,17 +672,17 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){  
//send the fax $fax\_file = $dir\_fax\_sent."/".$fax\_instance\_uuid.".tif"; $common\_variables .= "fax\_queue\_uuid='" . $fax\_queue\_uuid . "',"; $common\_variables .= "fax\_queue\_uuid='" . escapeshellarg($fax\_queue\_uuid) . "',"; $common\_variables = "for\_fax=1,"; $common\_variables .= "accountcode='" . $fax\_accountcode . "',"; $common\_variables .= "sip\_h\_X-accountcode='" . $fax\_accountcode . "',"; $common\_variables .= "domain\_uuid=" . $\_SESSION\["domain\_uuid"\] . ","; $common\_variables .= "domain\_name=" . $\_SESSION\["domain\_name"\] . ","; $common\_variables .= "origination\_caller\_id\_name='" . $fax\_caller\_id\_name . "',"; $common\_variables .= "origination\_caller\_id\_number='" . $fax\_caller\_id\_number . "',"; $common\_variables .= "fax\_ident='" . $fax\_caller\_id\_number . "',"; $common\_variables .= "fax\_header='" . $fax\_caller\_id\_name . "',"; $common\_variables .= "fax\_file='" . $fax\_file . "',"; $common\_variables .= "accountcode='" . escapeshellarg($fax\_accountcode) . "',"; $common\_variables .= "sip\_h\_X-accountcode='" . escapeshellarg($fax\_accountcode) . "',"; $common\_variables .= "domain\_uuid=" . escapeshellarg($\_SESSION\["domain\_uuid"\]) . ","; $common\_variables .= "domain\_name=" . escapeshellarg($\_SESSION\["domain\_name"\]) . ","; $common\_variables .= "origination\_caller\_id\_name='" . escapeshellarg($fax\_caller\_id\_name) . "',"; $common\_variables .= "origination\_caller\_id\_number='" . escapeshellarg($fax\_caller\_id\_number) . "',"; $common\_variables .= "fax\_ident='" . escapeshellarg($fax\_caller\_id\_number) . "',"; $common\_variables .= "fax\_header='" . escapeshellarg($fax\_caller\_id\_name) . "',"; $common\_variables .= "fax\_file='" . escapeshellarg($fax\_file) . "',";  
foreach ($fax\_numbers as $fax\_number) {  
@@ -704,16 +704,16 @@ function fax\_split\_dtmf(&$fax\_number, &$fax\_dtmf){ $fax\_uri = $route\_array\[0\]; $fax\_variables = ""; foreach($\_SESSION\['fax'\]\['variable'\] as $variable) { $fax\_variables .= $variable.","; $fax\_variables .= escapeshellarg($variable).","; } }  
//build the fax dial string $dial\_string = $common\_variables; $dial\_string .= $fax\_variables; $dial\_string .= "mailto\_address='" . $mail\_to\_address . "',"; $dial\_string .= "mailfrom\_address='" . $mail\_from\_address . "',"; $dial\_string .= "fax\_uri=" . $fax\_uri . ","; $dial\_string .= "mailto\_address='" . escapeshellarg($mail\_to\_address) . "',"; $dial\_string .= "mailfrom\_address='" . escapeshellarg($mail\_from\_address) . "',"; $dial\_string .= "fax\_uri=" . escapeshellarg($fax\_uri) . ","; $dial\_string .= "fax\_retry\_attempts=1" . ","; $dial\_string .= "fax\_retry\_limit=20" . ","; $dial\_string .= "fax\_retry\_sleep=180" . ",";

CVE-2022-35153: Security use escapeshellarg · fusionpbx/fusionpbx@de22a91

A SQL injection vulnerability in CustomerDAO.java in sazanrjb InventoryManagementSystem 1.0 allows attackers to execute arbitrary SQL commands via the parameter 'customerCode.'

**InventoryManagementSystem**

A software developed using Java SE which provides as easy way to track the products, suppliers, customers as well as purchase and sales information. It also records the stock currently available in the store. There are basically two users, Administrator and Normal User. Both the users can manage suppliers, products, customers and purchase and sell products. The only difference between the two users is that the administrator can also view sales report and can also manage other users.

Download .sql file for this application: https://drive.google.com/file/d/0Bw-qNYNSGhdCN09YZDV6SmtRN00/view?usp=sharing&resourcekey=0-g98Gi5ErSgzV-Jit-4Ow6Q

Download required third party plugins (includes JCalender, JTattoo and SQLConnector) : https://drive.google.com/file/d/0Bw-qNYNSGhdCMU1mekN4SmRCb1E/view?usp=sharing&resourcekey=0-mynFCWwHM0l7oUuBwDIVbw

Download the software only: https://drive.google.com/file/d/0Bw-qNYNSGhdCbVdSdzZHX0pZOFE/view?usp=sharing&resourcekey=0-Q9wY-we5-vgs26YpPMrYaQ

Download full documentation for free:

*   https://www.scribd.com/doc/296989740/InventoryManagementSystem-Sajan-Rajbhandari
*   Inventory-Management-System-Sajan-Rajbhandari.pdf

Credentials:

After importing the above sql file and adding the plugins, try using the credential username: user4 and password: test123

Also make sure your mysql is username: root and password: root. If not change the credential in ../ims/src/com/inventory/database/ConnectionFactory.java line no. 36 and 44.

CVE-2022-35606: GitHub - sazanrjb/InventoryManagementSystem: A software developed using Java SE which provides as easy way to track the products, suppliers, customers as well as purchase and sales information. It als

The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.

Researchers this week warned of a sophisticated, evasive crypter that several threat actors are using to distribute a range of information stealers and remote-access Trojans (RATs).

The crypter, dubbed "DarkTortilla," is pervasive and persistent, and it packs multiple features designed to help it avoid anti-malware and forensics tools. The .NET-based crypter can be configured to deliver numerous malicious payloads, and can potentially be used to plant illegal content on a victim's system. It's also capable of tricking both users and sandboxes into believing it is benign.

Researchers from Secureworks, who first spotted DarkTortilla last October, believe it has been active since at least August 2015. Rob Pantazopoulos, senior security researcher at Secureworks' Counter Threat Unit (CTU), says threat actors have used DarkTortilla in the past to deliver a wide range of other malware, including Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On a few occasions, the crypter has also been used in targeted attacks to deliver payloads such as Metaspolit and Cobalt Strike.

Most recently, it's been used mainly to deliver malware such as the RATs AgentTesla, NanoCore, and AsyncRat, as well as the information-stealer RedLine.

Somewhat unusually for such a widely used malware distributor, there have been just nine instances where a threat actor used DarkTortilla to distribute ransomware — and seven of those involved the Babuk ransomware family.

**Pervasive and Versatile**

"DarkTortilla first came into focus for Secureworks in October 2021 when we detected a threat actor leveraging a Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) to execute malicious PowerShell within customer environments," Pantazopoulos says. "The attack chain eventually led to the download and execution of the .NET malware that we now call DarkTortilla."

Secureworks researchers said that between January 2021 through May, they spotted an average of 93 unique DarkTortilla samples being uploaded to VirusTotal every week. The security vendor says it has counted more than 10,000 unique DarkTortilla samples since it began tracking the malware. Like many malware tools, attackers have been using spam emails with file attachments such as .ISO, .ZIP, and .IMG to distribute DarkTortilla. In some instances, they have also used malicious documents to deliver the malware.

**Highly Configurable**

What makes DarkTortilla dangerous is its high degree of configurability and the various anti-analysis and anti-tampering controls it packs to make detection and analysis highly challenging. The malware, for instance, uses open source tools such as DeepSea and ConfuserEX to obfuscate its code, and its main payload gets executed entirely in memory, Pantazopoulos says.

Also, DarkTortilla's initial loader, which is the only component of the malware that touches the file system, contains minimal functionality, making it hard to spot.

"Its only job is to retrieve, decode, and load the core processor, which is typically stored as encrypted data within the initial loader's resources," he notes. The code itself is generic in nature and tends to vary between samples depending on the obfuscation tools that have been applied. As a result, Secureworks has only been able to identify a handful of consistent markers for the malware — which too are likely to change soon, the researcher says.

The security vendor's analysis of DarkTortilla showed that it migrates execution to the Windows %TEMP% directory during initial execution, a feature that Pantazopoulos says is troublesome for defenders. One benefit in doing this — from the attacker's perspective — is that it allows DarkTortilla to hide on an infected system.

"Second, if the %Delay% configuration element is defined within the DarkTortilla configuration, the amount of time from when DarkTortilla is run to when the main payload gets executed increases exponentially," he says. For instance, with just a few configuration changes, attackers can set the malware to execute its main payload several minutes after the DarkTortilla executable is run.

"The impact here is that, when defenders submit the sample to most popular sandboxes, the sample will likely timeout without doing anything malicious and the sandbox may report that the sample was benign."

**Bag of Tricks**

DarkTortilla's bag of tricks includes a message box that attackers can use to display customizable, fake messages about the malware being a legitimate application, about the execution failing, or about the software being corrupted. The goal here, again, is to trick users into believing the malware that is executing on their system is benign.

"From a features perspective, we find DarkTortilla's ability to deliver numerous additional payloads in the form of 'addons' to be very interesting," Pantazopoulos notes. In one instance, the configured addon was a benign decoy Excel spreadsheet that opened as the malware was executing in the background. In another instance, Secureworks discovered the configured addon was a legitimate application installer that ran when the malware was executing. Thus the victim assumed they were installing a legitimate application.

In a handful of instances, Secureworks observed threat actors using DarkTortilla to drop addons to disk that were then not run later. Of the more than 600 DarkTortilla addons that Secureworks has observed so far, only seven were dropped to disk and not executed.

The file types ranged from executables and configuration files to PDF documents and were typically dropped to the victim's My Documents folder. "Though we've yet to see it used this way, it is very possible that a threat actor could leverage DarkTortilla to plant illegal content on a victim's file system without their knowledge," Pantazopoulos says.

'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections

The state-sponsored group particularly targets organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses, researchers say.

The RedAlpha advanced persistent threat (APT) group, thought to be linked to the Chinese state, has been spying on global humanitarian, think tank, and government organizations thanks to a massive phishing campaign that's been active for years.

That's the word from Recorded Future's the Insikt Group, which also found that the intelligence collection is likely used to support human rights abuses orchestrated by the Chinese Communist Party (CCP).

RedAlpha (aka Deepcliff or Red Dev 3) specializes in mass credential-harvesting, which it accomplishes via convincing phishing emails with attached PDFs that lead to purported login pages. The group has been operational at a "high tempo" since at least 2015, Insikt researchers note, though it didn't spark the notice of security researchers until 2018. And since 2019, the activity has ramped up even further, analysts say.

"Over the past three years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other … organizations," according to a blog post on Tuesday from Insikt.

Last year, RedAlpha stood up at least 350 domains overall, representing a big spike in its activity, analysts said. In many cases, the observed phishing pages mimicked legitimate email login portals for these specific targets, suggesting the attackers intended to target individuals directly affiliated with the organizations, as opposed to using the branding of the entities to target other third parties.

In particular, the APT has been observed directly targeting ethnic and religious minorities such as the Tibetan and Uyghur communities and protesters such as Falun Gong members, and it has been particularly interested in anything Taiwan-related. In short, the targets align closely with Chinese interests. Thus, the idea is to gain access to email accounts and other online communications of victims, in order to eavesdrop and gather political intel on the targets, researchers surmise.

Casey Ellis, founder and CTO at Bugcrowd, says that the intel gleaned can be weaponized not just for guiding kinetic or physical strikes against the persons of interest but also for counter-messaging meant to undermine their activities.  

"China has an enormous population of very astute technologists, a vast security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D," he says. "Data stolen for nation-state espionage isn't, for example, likely to be used for fraud if the threat actor is Chinese. The main threat, as is true for most nation-state threat actors, is dis/misinformation, weaponized memes, and subversive propaganda through social networks and traditional media."

The spoofing also has included impersonating well-known email service providers in an effort to look legitimate, including Yahoo (135 typosquatted domains), Google (91 typosquatted domains), and Microsoft (70 typosquatted domains).

"Chinese state-sponsored groups continue to aggressively target dissident and minority groups and individuals, both domestically through state surveillance and internationally through cyber-enabled intrusion activity," the researchers note. "This targeting of sensitive and vulnerable communities, many of which have security budget and resources constraints, is particularly concerning.  

**Sprawling Phishing Infrastructure**

According to Insikt's analysis, the group maintains large clusters of operational infrastructure, beyond the hundreds of phishing domains that imitate and spoof specific organizations.

The researchers say that other consistent characteristics of the group's efforts include the use of \*resellerclub\[.\]com nameservers; using the virtual private server (VPS) hosting provider Virtual Machine Solutions (VirMach); similar domain-naming conventions, such as the use of “mydrive-”, “accounts-”, “mail-”, “drive-”, and “files-” strings across hundreds of domains; overlapping WHOIS registrant names, email addresses, phone numbers, and organizations; and the use of specific server-side technology components and fake HTTP 404 Not Found errors.  

Phil Neray, vice president of cyber-defense strategy at CardinalOps, says that this kind of large footprint allows for significant espionage outcomes, which is one of the hallmarks of Chinese APTs.

"China has been a top nation-state threat for many years, given their strategic use of cyber-espionage to obtain expertise in key technologies such as biotech, semiconductors, defense, and energy, by stealing proprietary intellectual property from the West," he says. "They've also targeted PII in attacks against government organizations such as the Office of Personnel Management (OPM) and large health insurance organizations like Anthem, which were two of the largest data breaches in history."   

**Phishing Is Phishing Is Phishing**

The tactics in this case are tried and true, even if the perpetrators occupy "top-tier" status in the cybercrime pantheon.

"When it comes to phishing, threat actors at all levels generally rely on conventional aesthetic-based tactics to lure in their victims," Darren Guccione, CEO and co-founder at Keeper Security, tells Dark Reading. "Innocent people who are not trained on phishing prevention generally focus on the 'pinstripes' of the email. This means that the aesthetics they are familiar with, such as the logo and colors of a humanitarian, think tank, or government site, are used to lure them into a malicious link or form field."

It's important, however, not to underestimate the fallout from this familiar social-engineering approach. 

"Cybersecurity threats which ultimately result in breaches due to weak passwords, stolen credentials, or phishing emails are pervasive," Guccione says. "They can have devastating and long-term adverse consequences, particularly when a broad-scope espionage campaign is used to support human rights abuses."

Any organization should bolster user awareness and employ basic defenses to avoid being on the hook from phishing, Guccione adds.

"We tend to believe what we see, which is why aesthetics and a compelling user interface often trump awareness of a nefarious and incorrect URL," he notes. "The key to training is to ensure users are checking that the URL matches the authentic website. A password manager that can automatically identify when a site's URL doesn't match is a critical tool for preventing the most common password-related attacks, including phishing and credential stuffing."

CardinalOps' Neray adds that when it comes to civil-society targets specifically, "Organizations of all sizes must protect themselves by deploying continuous monitoring at all levels of their infrastructures — endpoints, network, cloud, identity — and ensuring they have SOC detection policies in place that match the latest adversary techniques employed by Chinese attackers, as documented in the MITRE ATT&CK framework."

China-Backed RedAlpha APT Builds Sprawling Cyber-Espionage Infrastructure

Red Hat Security Advisory 2022-6073-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel security update  
Advisory ID:       RHSA-2022:6073-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6073  
Issue date:        2022-08-16  
CVE Names:         CVE-2022-32250  
====================================================================  
1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.7  
Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update  
Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64  
Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-32250)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2092427 - CVE-2022-32250 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.7):

Source:  
kernel-3.10.0-1062.68.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.68.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.68.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.68.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kernel-3.10.0-1062.68.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.68.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.68.1.el7.noarch.rpm

ppc64le:  
bpftool-3.10.0-1062.68.1.el7.ppc64le.rpm  
bpftool-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-bootwrapper-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debug-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-devel-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-headers-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-libs-3.10.0-1062.68.1.el7.ppc64le.rpm  
perf-3.10.0-1062.68.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
python-perf-3.10.0-1062.68.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm

x86_64:  
bpftool-3.10.0-1062.68.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.7):

Source:  
kernel-3.10.0-1062.68.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.68.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.68.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.68.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional E4S (v. 7.7):

ppc64le:  
bpftool-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debug-devel-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-libs-devel-3.10.0-1062.68.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm

x86_64:  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional TUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvvc19zjgjWX9erEAQi1cRAAjEUt0r1F8jjtVp0d8kroL7hrs8EHBJ0Q  
qJyhWBmqx6rPsRG9BjxRp7/ghaiz6CG/UT1nv/nZ+fUBG83LCvZ46o8WcI6K0Fvy  
JerDv3tWnpPMJCh6Mk20L0Dc/1N4VT93aXLxZImYZ4lbglzuYnVG7padfPw1hKfJ  
0mMRAW0Jq5no1Z+TbIw15UYH5VM9jHe3HUSEbQAmWd07rKNmYzrb7lmMVCKzLgKY  
OpoE5DBPzC2vmYy4uD5yFJAqb16udSc75O1lwJSm0NemThecm0UKmHvYShYQVFst  
PReb3FBLKkxp/cIn8agD45FLI6bmwx/G+Vf+ULKWLHKYAEb++VJMPeV/AZOMTXkZ  
pgAvjOmU+GW+Ff5caqFKIZpdPVrnckJ+OZAntAxlsfdoIi6zAayedi13CGjOT2YF  
LZJL1bZ5OvT+C/dDuFdouBc5vh6gUSvqFCIdChCcFISZTGD2pdqih0MrltYElYZQ  
aMyqT0Rbtb5tDTdiPsAOlEZdu27FwqwY3c3UKutAQZdNfiegGzrTEvqJUc/bAWck  
Nyr1jA2bfxIoAUeAZebg1BBIHDelDlIQ4jhR0rlmVddRLY/R0nlSUPDFYlhXSZ9a  
je2i1vKkqty8xO0u6E3y4hw5LtzKU4zg7Nithiko9iBeBeQl6jLWJbNFf6sNxwed  
y2wGB25IIfc=ZdRy  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6073-01

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign targeting engineers with a fake job posting that attempt to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems.

The campaign, identified by researchers from ESET Research Labs and revealed in a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers divulged.

Dubbed Operation In(ter)ception, the recent campaign drops a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil, they wrote.“Malware is compiled for both Intel and Apple Silicon,” according to one of the tweets. “It drops three files: a decoy PDF document Coinbase\_online\_careers\_2022\_07.pdf, a bundle http\[://\]FinderFontsUpdater\[.\]app and a downloader safarifontagent.”

**Similarities to Previous Malware**

The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said.

However, the most recent malware is signed July 21, according to its timestamp, which means it’s either something new or a variant of the previous malware. It uses a certificate issued in February 2022 to a developer named Shankey Nohria and which was revoked by Apple on Aug. 12, researchers said. The app itself was not notarized.

Operation In(ter)ception also has a companion Windows version of the malware dropping the same decoy and spotted Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET.

The malware used in the campaign also connects to a different command and control (C2) infrastructure than the malware discovered in May, https:\[//\]concrecapital\[.\]com/%user%\[.\]jpg, which did not respond when researchers tried to connect to it.

**Lazarus on the Loose**

North Korea’s Lazarus is well known as one of the most prolific APTs and already is in the crosshairs of international authorities, having been sanctioned back in 2019 by the U.S. government.

Lazarus is known for targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing for the regime of Kim Jong-un. It has often used impersonation ploys similar to the one observed in Operation In(ter)ception to try to get victims to take the malware bait.

A previous campaign identified in January also targeted job-seeking engineers by dangling fake employment opportunities at them in a spear-phishing campaign. The attacks used Windows Update as a living-off-the-land technique and GitHub as a C2 server.

Meanwhile, a similar campaign uncovered last year saw Lazarus impersonating defense contractors Boeing and General Motors and claiming to seek job candidates only to spread malicious documents.

**Changing It Up**

However, more recently Lazarus has diversified its tactics, with the feds revealing that Lazarus also has been responsible for a number of crypto heists aimed at padding the regime of Jong-un with cash.

Related to this activity, the U.S. government levied sanctions against cryptocurrency mixer service Tornado Cash for helping Lazarus launder cash from its cybercriminal activities, which they believe in part are being to fund North Korea’s missile program.

Lazarus even has dipped its toe in ransomware amid its frenzy of cyberextortion activity. In May, researchers at cybersecurity firm Trellix tied the recently emerged VHD ransomware to the North Korean APT.

APT Lazarus Targets Engineers with macOS Malware

A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations.
"In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new

A Chinese state-sponsored threat activity group named **RedAlpha** has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations.

"In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new report.

A lesser-known threat actor, RedAlpha was first documented by Citizen Lab in January 2018 and has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community, some in India, to facilitate intelligence collection by deploying the NjRAT backdoor.

"The campaigns \[...\] combine light reconnaissance, selective targeting, and diverse malicious tooling," Recorded Future noted at the time.

Since then, malicious activities undertaken by the group have involved weaponizing as many as 350 domains that spoof legitimate entities like the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), and the American Institute in Taiwan (AIT), among others.

The adversary's consistent targeting of think tanks and humanitarian organizations over the past three years falls in line with the strategic interests of the Chinese government, the report added.

The impersonated domains, which also include legitimate email and storage service providers like Yahoo!, Google, and Microsoft, are subsequently used to target proximate organizations and individuals to facilitate credential theft.

Attack chains start with phishing emails containing PDF files that embed malicious links to redirect users to rogue landing pages that mirror the email login portals for the targeted organizations.

"This means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties," the researchers noted.

Alternatively, the domains used in the credential-phishing activity have been found hosting generic login pages for popular email providers such as Outlook, alongside emulating other email software such as Zimbra used by these specific organizations.

In a sign of the campaign's evolution, the group has also impersonated login pages associated with Taiwan, Portugal, Brazil, and Vietnam's ministries of foreign affairs as well as India's National Informatics Centre (NIC), which manages IT infrastructure and services for the Indian government.

The RedAlpha cluster further appears to be connected to a Chinese information security company known as Jiangsu Cimer Information Security Technology Co. Ltd. (formerly Nanjing Qinglan Information Technology Co., Ltd.), underscoring the continued use of private contractors by intelligence agencies in the country.

"\[The targeting of think tanks, civil society organizations, and Taiwanese government and political entities\], coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#pdf