CYBERSECURITY NEWS V. February – Silver Sparrow, WatchDog mines cryptocurrency, Kia Motors America hit by DoppelPaymer

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

30,000 Mac computers infected with new malware Silver Sparrow

The new virus called Silver Sparrow has already infected more than 30,000 Mac computers worldwide, according to a recent report from the cybersecurity company Red Canary.

The virus has two versions: one with a Mach-O binary file compiled for Intel processors, and another targeting devices with the Apple M1 chip. It is worth noting that the virus lacks one important feature – the malicious payload. This could mean that the virus acts only when some unknown condition is met. Silver Sparrow is idle for now, although it communicates with the C&C servers once an hour, waiting for potentially malicious binaries to execute. Interestingly, the virus has a self-destruct function that allows it to erase its traces. This feature is mostly used for highly secretive operations. The malware may be just a platform for subsequent downloads and execution of other code.

Red Canary researchers note that its complex infrastructure leverages CDNs and AWS networks efficiently, making it difficult to track and remove the malware.

The malware was detected in 153 countries, with the largest number of infected computers in the United States, Great Britain, Canada, France, and Germany.

WatchDog botnet mines cryptocurrency on Windows and Linux servers

According to the analysts at Palo Alto Networks, WatchDog malware, active since 2019 and written in Go, infects systems running Windows and Linux. Usually, outdated corporate applications become the entry point for hackers. On infected servers, WatchDog runs with administrator rights and, if the malware operators want, it can easily scan and steal credentials.

According to the experts, the botnet currently includes from 500 to 1000 infected systems. The profit is approximately 209 Monero, which equals approximately $ 32,000 at the current exchange rate.

Kia Motors America hit by DoppelPaymer

The American subsidiary of Kia Motors, has been attacked by DoppelPaymer ransomware. The attackers have encrypted sensitive files, stolen confidential information, and now demand $20 million for a decryptor.

Over the past few days, there has been a disruption to the company's services, including UVO Link mobile apps, phone services, payment systems, the Kia Owners portal, and Kia dealer internal sites. Kia Motors explained it as a large-scale failure.

Judging by the ransom note, the DoppelPaymer operators have successfully infiltrated the car manufacturer's networks. Among other things, they announced that they had managed to hack into Hyundai Motor, the parent company of Kia Motors.

The attackers gave the company 2-3 weeks before publishing the stolen data. The ransomware operators demand 404 bitcoins, which at the current exchange rate is approximately $ 20 million. If the automaker's representatives delay the payment, the ransom will increase to 600 bitcoins (or $ 30 million).

Hackers use Google Apps Script to inject web skimmers

Hackers are abusing the Google Apps Script platform to steal credit card information that users enter on e-commerce sites. Using the script.google.com domain, which is trusted by most sites, attackers hide malicious activity from malware detection solutions and bypass Content Security Policy (CSP).

Web skimmers are JavaScripts that cybercriminals inject into compromised e-commerce sites. They steal payment and personal information provided by users on these sites and transmit them to servers controlled by cybercriminals.

Stored XSS in iCloud fixed

Apple has reportedly fixed a stored XSS in the web version of iCloud discovered by penetration tester Vishal Bharad in the Pages/Keynote features. 

To exploit the bug, the attacker would have to insert an XSS payload into a name field of newly created Pages or Keynote content. Then, they would have to share it with another user and slightly modify the content afterwards.

Vishal Bharad found the vulnerability in August 2020 and immediately reported it to Apple. The company fixed the bug and paid Bharad $ 5,000.