CYBERSECURITY NEWS V. 04.09 – Safari bug, updated Qbot Trojan, Lazarus attacks

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts

News for discussion

Safari bug that allows stealing files is disclosed

After Apple had postponed fixing a Safari vulnerability for almost a year, it was disclosed. It could leak files to other browsers and applications. The bug is described as "not very serious" and is related to the implementation of Safari's Web Share API, a new web standard that introduced a cross-browser API for exchanging text, links, files, and other content. The bug uses complex social engineering and requires some actions from the user.

hexway commentary:

Although it’s quite an interesting vulnerability, it’s highly unlikely that someone would exploit. The focus here should be not on the bug itself – who doesn’t have them? It’s more about Apple’s cooperation with security researchers: working with external reports never was among their priorities. Fixes without mentions, postponed patches, “won’t fix” issues, silent treatment – that’s what you should prepare for if you want to submit a vulnerability to Apple.
On the other hand, vendors have their deadlines and release cycles, and taking care of every reported minor bug is annoying. So, they can wait.
If you are feeling lost, here is some advice:
- If you are a security researcher, don’t be shy and disclose your findings 90 days after you have notified the vendor. Also, remind them about it just before publishing.
- If you are a vendor, dealing with external reports must be included in your development cycle.
That’s that.

News FYI

Qbot Trojan updated

Qbot, an ever-evolving banking and information theft Trojan discovered in 2008, has become more sophisticated and adopted many new methods. Already, it has more than 100,000 victims. The new variant of QBot sends phishing emails containing a malicious Visual Basic Script (VBS) file with code that can be executed within Windows. After infecting the PC, a new Email Collector Module in QBot extracts all email threads from Outlook and uploads them to the attacker's server, so they could be used to infect other users. The Trojan can also steal browsing data, banking details and download ransomware; one of its modules installs Mimikatz to collect passwords.

Lazarus attacks cryptocurrency firms through fake LinkedIn job offers

Lazarus, an advanced persistent threat (APT) group, is targeting organizations in the cryptocurrency vertical. Phishing documents are distributed through fake LinkedIn job offers. In one case, a Microsoft Word document claimed to be protected under the EU General Data Protection Regulation (GDPR), so the content of the document could only be displayed if macros were enabled. Thus, the victim is convinced to enable macros with malicious code. The infection chain varies depending on system configuration and the range of tools used by the attackers. To date, this phishing attack has been successful at least 73 times.

New targets of Iranian ransomware Dharma

Unskilled and financially motivated hackers target companies in Russia, Japan, China, and India with ransomware called Dharma. The group is demanding a low ransom of 1 to 5 bitcoins, which ensures that they go unnoticed while the authorities take care of the gangs extorting millions. The attackers find victims by scanning for open Remote Desktop (RDP) connections. Then they use NLBrute to brute-force RDP passwords. Once inside, they may try to escalate privileges through an old vulnerability (CVE-2017-0213) in Windows 7 and newer versions. The number of victims of this group remains unknown.

New Zealand Stock Exchange down to DDoS Attacks

The New Zealand Stock Exchange (NZX) was hit by DDoS attacks, which forced it to shut down. The attacks were carried out offshore via its network provider, Spark, and affected the connectivity of the NZX system.