By Jon Munshaw.
The one big thing
Why do I care?
As we outlined in the newsletter last week, anything the Lazarus Group does is not to be taken lightly. And it’s particularly notable since they are targeting energy suppliers, highlighting the dangers that critical infrastructure faces from state-sponsored threat actors. Our research also shows the Lazarus Group is continually updating its malware and finding new ways to avoid detection.So now what?
We’ve said this a thousand times already, but patch for Log4j in all software if you haven’t already since this is the primary infection method used in this campaign. Talos also released several new solutions for Cisco Secure to detect and prevent the malware used in these attacks.
Top security headlines from the week
Twitter’s former head of security warned Congress about several potentially dangerous security practices at the social media giant. Peiter “Mudge” Zatko, one of the first “hackers” to enter mainstream culture, said in testimony that about 50 percent of Twitter’s employees could have access to sensitive user information, something he says he tried to prevent during his time at the company but was stopped. Zatko went as far to directly tell U.S. Senators that their personal data could be at risk because of these practices, adding that the company is “misleading the public, lawmakers, regulators, and even its own board of directors.” The testimony came under additional scrutiny because of its potential influence on the ongoing battle regarding Elon Musk’s failed offer to buy Twitter. (Vox, Politico)
Montenegro’s government continues to grapple with a massive cyber attack, forcing many services offline at government offices and putting the country’s essential infrastructure, including banking, water and electrical power systems at risk. Government officials stated that the attack resembles others from well-known Russian state-sponsored actors. The FBI even deployed a special cybersecurity team to the country to help with the recovery and remediation process. The Cuba ransomware group claimed responsibility for the attack, going as far as to say they created a special malware just for this campaign. Recent cyber attacks against NATO nations like Montenegro and Albania have raised questions around NATO’s Article 5 could be triggered over offensive cyber attacks. (Associated Press, NPR)
Apple released security updates for its mobile and desktop operating systems this week to patch zero-day vulnerabilities that attackers have actively exploited in the wild. CVE-2022-32917, according to Apple, could allow an attacker to execute arbitrary code with kernel privileges. This is the eighth zero-day vulnerability Apple disclosed this year. When updating iOS, users can upgrade to iOS 16, which also comes with several new security features. The new operating system includes a centralized privacy dashboard, safety checks for users who could be at risk of having their devices infected with spyware, and password-free logins on some sites. (9to5Mac, New York Times Wirecutter)
Can’t get enough Talos?
- Energy providers hit by North Korea-linked Lazarus exploiting Log4j VMware vulnerabilities
- Talos Takes Ep. #112: Back to school advice for teachers, students, parents, admins and everyone in between
- North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies
- Cisco Talos traps new Lazarus Group RAT
- Microsoft Patch Tuesday for September 2022 — Snort rules and prominent vulnerabilities
- Talos EMEA Monthly Threat Update: How do you know if cyber insurance is right for you?
Upcoming events where you can find Talos
Most prevalent malware files from Talos telemetry over the past week
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg