Threat Source newsletter (Sept. 8, 2022) — Why there is no one-stop-shop solution for protecting passwords

Why do I care? 

The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide. Lazarus is already a formidable threat actor that’s been incredibly active this year, including major cryptocurrency-related attacks aimed at generating money for the North Korean government and subverting international sanctions. Any new developments from this group are noteworthy for the security community at large. 

So now what? 

In the attacks we observed, Lazarus Group commonly exploited VMware vulnerabilities, so users should update any products they’re using as soon as possible. Additionally, we’ve released new Snort rules and OSqueries to detect any MagicRAT activities and block it before the attackers can get any further.  

 

Top security headlines from the week

The newest version of a well-known banking trojan on the Google Play store is masquerading as legitimate antivirus software and has already been installed on tens of thousands of devices. SharkBot, which was first discovered in February, infects Android users and then tries to initiate unwanted bank transfers by stealing users’ login information and intercepting SMS multi-factor authentication messages. The malware disguises itself as two apps: Mister Phone Cleaner, which has more than 50,000 downloads so far on the Google Play store, according to security researchers, and Kylhavy Mobile Security, which has been downloaded more than 10,000 times. Affected victims are in several different countries, including the U.S., Spain, Australia, Poland, Germany and Austria. (Bleeping Computer, Tech Monitor) 

Many students are heading back to school across the U.S., which also means an increased risk of cyber attacks for those schools. Threat actors traditionally try to target the education sector during this period when schools are more susceptible to an attack and more likely to pay any ransom payments. The massive, combined school district in Los Angeles, California was hit with a ransomware attack this week, forcing more than 600,000 students and staff to reset their passwords. It’s currently unclear what information if any, was stolen, but students could attend school as planned after the Labor Day weekend. The U.S. federal government even deployed cybersecurity-related agencies to the district to assist with the district’s recovery. (NPR, Washington Post) 

Local police departments have been using a little-known location-tracking service since 2018 that can allow them to track suspects’ locations without a warrant. The software, called Fog Reveal, allows the customer to use data harvested from others’ smartphones to track the location and other activities of suspects. Law enforcement has already used it to investigate several different types of crimes, including murder investigations and potential crimes surrounding the attempted insurrection on the U.S. Capitol on Jan. 6, 2021. However, the use of the software is rarely mentioned in court documents when used as part of a criminal trial. (Associated Press, Vice Motherboard) 

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week