Newsletter

open source and cybersecurity news

December 12, 2023

It's 5:05, December 12, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Mark Miller:  December 12th, 1980. Apple computer holds their initial public offering selling 4.6 million shares at $22 per share, and turning more than 40 Apple employees and investors into instant millionaires.

Edwin Kwan: A set of 14 security vulnerabilities named “5Ghoul” has been discovered in the firmware implementation of 5G mobile network modems from major chipset vendors like MediaTek and Qualcomm. The flaw impacts USB and IoT modems along with hundreds of smartphone models running Android and iOS.

Katy Craig: Cybersecurity researchers from Cato Security Labs have uncovered a new variant of P2PInfect compiled for the MIPS architecture used widely in routers and IoT devices. This latest version indicates the botnet’s expanding capability is in reach.

Ian Garrett: Now hackers are applying to jobs? TA4557, a threat actor active since 2018, is evolving its strategy to directly target recruiters with malicious URLs. Once the recruiter responds, TA4557 replies with a URL linking to a website controlled by the threat actor, posing as the candidate’s resume.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
5Ghoul Vulnerabilities Affecting Most 5G Smart Phones

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastA set of 14 security vulnerabilities named “5Ghoul” has been discovered in the firmware implementation of 5G mobile network modems from major chipset vendors like MediaTek and Qualcomm.

This is Edwin Kwan from Sydney, Australia.

The flaw impacts USB and IoT modems along with hundreds of smartphone models running Android and iOS. Three of the vulnerabilities are classified as high-severity, allowing attackers to disrupt connections, freeze links requiring manual reboot, or downgrade 5G connectivity to 4G.

The vulnerabilities were disclosed by researchers from the Singapore University of Technology and Design. The vulnerabilities affect 714 smartphones from 24 brands including Apple, Google, Samsung, and more. Patches have been released for 12 of the 14 flaws. The details of the remaining two have been withheld for confidentiality reasons. The vulnerabilities could be exploited by attackers to deceive smartphones into connecting to rogue space stations, leading to unintended consequences.

Make sure you are running the latest patches for your mobile device.

Resources
– Hacker News: https://thehackernews.com/2023/12/new-5g-modems-flaws-affect-ios-devices.html
– Secure Reading: https://securereading.com/5g-modem-flaws-impact-ios-and-android-devices/
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/new-5ghoul-attack-impacts-5g-phones-with-qualcomm-mediatek-chips/

 

Katy Craig
P2PInfect: Evolving to Target Routers and IoT Devices

Katy Craig, Contributing Journalist, It's 5:05 PodcastThere’s a new development in the world of digital threats- the emergence of a botnet called P2PInfect, now evolving to target routers and IoT, that’s Internet of Things, devices.

This is Katy Craig in San Diego, California.

Cybersecurity researchers from Cato Security Labs have uncovered a new variant of P2PInfect compiled for the MIPS architecture used widely in routers and IoT devices. This latest version indicates the botnet’s expanding capability is in reach.

Originally discovered in July 2023, P2PInfect, a Rust-based malware, initially targeted unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability. However, a recent surge in P2PInfect activity reveals a more menacing threat landscape. This new variant not only attempts SSH bruteforce attacks on MIPS processor-embedded devices, but also incorporates sophisticated evasion and anti-analysis techniques. It’s suspected that both SSH and Redis servers serve as propagation vectors given the malware’s ability to run a Redis server on MIPS.

This development highlights the escalating sophistication of cyber threats and the need for heightened vigilance and robust security measures, especially for IoT and router devices. It’s a clear reminder that in the cyber world, threats are continuously evolving, and so must our defenses.

This is Katy Craig, stay safe out there.

Resources
– Hacker News: https://thehackernews.com/2023/12/new-p2pinfect-botnet-mips-variant.html
– CADO Security Labs: https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/

 

Ian Garrett
That Job Candidate Might Be a Hacker

Ian Garrett, Contributing Journalist, It's 5:05 Podcast

Now hackers are applying to jobs? TA4557, a threat actor active since 2018, is evolving its strategy to directly target recruiters with malicious URLs. This group, known for using the More_eggs downloader as a malware dropper, previously applied to job postings on public boards or LinkedIn, embedding malicious URLs in their applications. However, since October 2023, Proofpoint has observed TA4557 directly emailing employers seeking candidates for various job roles, marking a shift in their approach.

Hey folks, this is Ian Garrett in Arlington, Virginia.

In this new method, the actor initiates contact with a recruiter through an email inquiry about a job posting. Once the recruiter responds, TA4557 replies with a URL linking to a website controlled by the threat actor, posing as the candidate’s resume. Alternatively, the actor may attach a PDF or Word document with instructions to visit the fake resume site.

Recently, TA4557 has even tried to evade detection by directing recipients to their email domain name to access their supposed portfolio, rather than directly sending the resume website URL in a follow-up email. Upon visiting the “personal website,” potential victims encounter a fake resume page. Here, the user is filtered, and if deems a suitable target, is led to the next attack stage. This involves a capture on the candidate website, which upon completion, triggers the download of a zip file containing a malicious shortcut file. This file exploits legitimate functions in a Microsoft utility program to download and execute a scriptlet, deploying the More_eggs backdoor.

More_eggs is a JavaScript backdoor used for establishing persistence, profiling the machine, and delivering additional payloads. TA4557, a financially motivated and skilled threat actor, has been using this backdoor to profile endpoints and send further payloads.

Proofpoint’s observations highlight a worrying trend of threat actors building trust through benign messages before delivering malicious content. This change in TA 4557’s tactics serves as a warning for organizations using third-party posting platforms to be vigilant of such techniques.

Resources
– CSO Online: https://www.csoonline.com/article/1257289/new-malware-is-using-direct-emails-to-hunt-the-head-hunters.html

 

Mark Miller
This Day in Tech History

Mark Miller, Executive Producer, It's 5:05This is Mark Miller sitting in for Marcel Brown and bringing you your tech history for the day.

December 12th, 1980. Apple computer holds their initial public offering selling 4.6 million shares at $22 per share, and turning more than 40 Apple employees and investors into instant millionaires. With the stock value closing at $29, the market capitalization puts the company’s worth at $1.7 billion. Stock held by Steve Jobs is worth $217 million, Steve Wozniak $116 million, and Mike Markkula $203 million.

This was the largest IPO in the U S since the Ford motor company in 1956. Oh, to have gotten a piece of that fruit company back then.

That’s it for today’s tech history. To follow along with our daily updates, you can visit Marcel site at ThisDayInTechHistory.com.

Resources
This Day in Tech History: https://thisdayintechhistory.com/12/12

Contributors:

Comments:

Leave the first comment

Newsletter