Hackers Used macOS Zero-Day Against Hong Kong Users in Watering Hole Attacks

NSO Pegasus spyware reportedly found on high-ranking Palestinian diplomats' phones, FBI issues warning about Iranian hackers, Israel removes LGBTQ website from internet for faulty security, more

Nov 12, 2021

In yet another example of zero-day vulnerabilities exploited in the wild by attackers, in late August 2021, Google’s Threat Analysis Group (TAG) discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and prominent pro-democracy labor and political group.

The websites leveraged for the attacks contained two iframes that served exploits from an attacker-controlled server, one for iOS and another for macOS. The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the victim's browser. The landing page contained a simple HTML page loading two scripts for the macOS exploit, one for Capstone.js and another for the exploit chain.

Both attacks chained multiple vulnerabilities together so attackers could take control of victim devices to install their malware. The macOS version involved the exploitation of a WebKit vulnerability and a kernel bug.

In both attacks, the distributed malware ran in the background and could download files or exfiltrate data, conduct screen capturing and keylogging, initiate audio recording and execute other commands. It also made a “fingerprint” of each victims' device for identification. Although Google didn’t attribute the attacks to any particular source, Shane Huntley, director of Google TAG, said “the activity and targeting is consistent with a government-backed actor.” (Lily Hay Newman / Wired)

A Palestinian official, Ahmed al-Deek, an assistant foreign minister, said that the phones of three high-ranking Palestinian diplomats had been hacked by Pegasus spyware made by the Israeli surveillance firm NSO Group. However, it’s not clear if any outside researcher has confirmed the accusation.

This allegation marked the first time Palestinian officials have claimed NSO software was used to spy on them. (Joseph Krauss / Associated Press)

In an advisory sent to US companies, the FBI said that Iranian hackers had searched cybercriminal websites for sensitive data stolen from American and foreign organizations that could be useful in future efforts to hack those organizations.

Among the Tactics, Techniques, and Procedures (TTPs) used in the attacks since May 2021, the FBI mentions the use of auto-exploiter tools to compromise WordPress sites to deploy web shells, breaching RDP servers and using them to maintain access to victims' networks. Additionally, according to the FBI, this threat actor is also attempting to breach supervisory control and data acquisition (SCADA) systems with the help of common default passwords.

The Bureau said the threat actor would likely use the leaked data, such as emails and network information, bought from clear and dark web sources to breach the systems of related organizations. The FBI advises organizations to take mitigation measures to block hacking attempts by securing Remote Desktop Protocol (RDP) servers, Web Application Firewalls, and Kentico CMS installations targeted by this adversary. (Sergiu Gatlan / Bleeping Computer)

With help from the Dutch intelligence service, AIVD, four Booking.com IT specialists determined that hacker “Andrew” with ties to American intelligence agencies broke into the servers of hotel website Booking.com and stole details of thousands of hotel reservations in countries in the Middle East.

Booking.com did not notify the affected customers or the Dutch Data Protection Authority (AP). The management claims it was not legally required to do so at the time, based on advice it received from the law firm Hogan Lovells. The AP declined to comment. (Merijn Rengers, Stijn Bronzwaer, Joris Kooiman / NRC)

Related: Ars Technica

A US judge sentenced Russian national Aleksandr Zhukov to ten years in prison for running Methbot, a giant ad fraud botnet that stole more than $7 million from ad publishers and ad networks between 2014 and 2018.

Tracked under names such as 3ve, Methbot, Boaxxe, and Miuref, Zhukov is believed to have run one of the largest ad fraud botnets ever created, generating at one point in 2016 between $3 million and $5 million in revenue per day. (Catalin Cimpanu / The Record)

In an unusual move in motivating companies to take more robust measures regarding cyber defense, Israel state prosecution announced that it had succeeded in getting the Atraf website for LGBTQ dating permanently removed from the internet. The removal of the site is part of the state’s ongoing battle against attempts by the Black Shadow hacker group to expose the private, personal information of the website’s users.

On November 3, the Authority for the Defense of Privacy announced it was probing the Atraf website for faulty cyberdefenses that might have led to its recently being hacked. The Authority said then that the site might be pulled from the internet indefinitely due to the website owner’s lack of cyber protection of their clients’ data. (Yonah Jeremy Bob / Jerusalem Post)

Security firm Randori said about 10,000 enterprise servers running Palo Alto Networks’ GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug (CVE-2021-3064) with a severity rating of 9.8 out of a possible 10.

Contrary to the usual practice of security firms to report vulnerabilities to vendors as soon as possible, Randori discovered the vulnerability 12 months ago but has been privately using it in its red team products, which help customers test their network defenses against real-world threats. (Dan Goodin / Ars Technica)

Related: Randori

Catalin Cimpanu @campuscodi

Randori discovered and used a Palo Alto Networks GlobalProtect VPN zero-day (CVE-2021-3064) as part of its red team engagements for a year before disclosing the issue to the vendor randori.com/blog/cve-2021-…

A North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with a trojanized pirated version of the popular IDA Pro reverse engineering application.

The Lazarus group, also known as Zinc by Microsoft, has a long history of targeting security researchers with backdoors and remote access trojans. (Lawrence Abrams / Bleeping Computer)

ESET research @ESETresearch

#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5

According to a report by Barracuda, threat actors who distribute a special kind of phishing email known as a “bait attack” prefer to use Gmail accounts to conduct their attacks. A "bait attack" is a sub-class of phishing where threat actors attempt to gather basic information about a specific target and use it for more targeted and effective attacks in the future.

Of 10,500 organizations surveyed by Barracuda, 35% of them received at least one bait attack email in September 2021 alone. (Bill Toulas / Bleeping Computer)

President Biden signed into law bipartisan legislation, The Secure Equipment Act, to secure telecommunications systems against potential foreign threats, particularly from those linked to China.

The bill bans the Federal Communications Commission (FCC) from considering or issuing authorization for products from companies on the FCC’s “covered list,” including Chinese telecommunications groups Huawei and ZTE. (Maggie Miller / The Hill)

David McKeown, DoD’s chief information security officer, announced the Pentagon would formally launch a new office dedicated to accelerating the adoption of a new “zero trust” cybersecurity model.

The move comes nearly six months after the Biden administration’s cybersecurity order to improve protections, including through zero-trust approaches, at government agencies in the wake of the SolarWinds intrusion. (Joe Gould / C4IRSNET)

Photo by Ellen White on Unsplash