CISA issues critical warning on Juniper device vulnerabilities

This week’s cybersecurity landscape witnessed diverse threats, from nation-state malware targeting macOS to hidden malicious Python packages on trusted platforms. Also observed were sophisticated espionage activities by Chinese hacking groups, VMware’s alert on a critical Cloud Director vulnerability, and CISA’s urgent warning regarding active exploits targeting Juniper devices. These incidents highlight escalating cyber risks across various platforms and sectors, necessitating heightened vigilance and immediate proactive measures to combat these evolving threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. BlueNoroff blamed for hacking macOS machines with ObjCShellz malware

The BlueNoroff APT group, linked to North Korea, has emerged with ObjCShellz, a newly identified macOS-targeting malware akin to the RustBucket campaign. Discovered while investigating a Mach-O binary connecting to a suspicious domain previously linked to BlueNoroff, ObjCShellz is coded in Objective-C, acting as a remote shell for executing commands from the attackers’ command-and-control (C2) server.

Though the malware’s initial access method remains unclear, suspicions suggest it could be disseminated through social engineering tactics. The focus on a domain related to cryptocurrency hints at potential targets within the cryptocurrency exchange sector. To prevent such attacks, it is recommended to implement robust network monitoring tools with anomaly detection capabilities, enhance endpoint security, and conduct thorough training sessions for users to recognize and resist social engineering attempts.

2. CISA urges immediate action to secure Juniper devices against active exploits

CISA (Cybersecurity and Infrastructure Security Agency) has issued a warning urging federal agencies to secure Juniper devices due to four vulnerabilities (CVE-2023-36844 to CVE-2023-36847) currently exploited in remote code execution attacks. These vulnerabilities in Juniper’s J-Web interface pose significant risks, allowing preAuth remote code execution by combining specific requests that upload arbitrary files without authentication.

Exploitation attempts were detected shortly after Juniper’s security updates were released, coinciding with the publication of a proof-of-concept (PoC) exploit. ShadowServer data shows over 10,000 vulnerable Juniper devices exposed online, with a notable concentration in South Korea. Administrators are advised to immediately secure their devices by upgrading JunOS to the most recent release. As a minimum precaution, it is also recommended to disable J-Web or restrict Internet access to the J-Web interface to eliminate the attack vector.

3. Lazarus Group exploits Zoho ManageEngine flaw, deploys QuiteRAT malware

A new type of ransomware, named Mimic, utilizes the APIs of the Windows file search tool ‘Everything’ to locate and encrypt targeted files. It begins with an executable delivered via email, which when executed extracts four files including the main payload, additional files, and tools to disable Windows Defender on the targeted system. The utility ‘Everything’ is a popular filename search engine for Windows developed by Void Tools. It is known for its speed and low system resource usage, as well as its support for real-time updates.

Mimic ransomware encrypts files and adds the “.QUIETPLACE” extension to them. It also drops a ransom note which demands payment in Bitcoin to recover the encrypted data. It is recommended to keep all software and operating systems up to date to reduce the risk of vulnerabilities being exploited. Regularly back up important data to an offline location to ensure its restoration in case of a ransomware attack.

4. Gootkit malware continues to evolve with new components and obfuscations

The Lazarus Group leveraged a critical security vulnerability in Zoho ManageEngine ServiceDesk Plus, specifically identified as CVE-2022-47966. This exploitation occurred only five days post the emergence of its proof-of-concept online. The malevolent actors used this flaw to directly deploy the QuiteRAT binary from a malicious URL. QuiteRAT is a sophisticated malware developed on the Qt framework, which contributes to the complexity of its code, making analysis considerably challenging.

Researchers noted a significant shift in the Lazarus Group’s approach. Instead of predominantly using their tools post-compromise, they now increasingly rely on open-source tools and frameworks even during the initial access phase of their operations. Historically, the Lazarus Group favored custom-built implants such as MagicRAT, VSingle, Dtrack, and YamaBot to establish initial access on compromised systems. Organizations need to remain vigilant, keeping their systems patched and adopting proactive detection and defense mechanisms to counter such advanced persistent threats.

5. Prilex modification now targeting contactless credit card transactions

Brazilian threat actor behind point-of-sale (PoS) malware, Prilex, is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware, which is the most advanced PoS threat seen so far. Its new updates allow it to block contactless payment transactions to steal from NFC cards. The main agenda behind the new functionality discovered is to disable the contactless payment feature to force the user into inserting the card in the PIN pad reader.

This effectively permits the threat actors to capture the data coming from the transaction by using various techniques, such as manipulating cryptograms, forcing protocol downgrades, and performing a GHOST attack. This can be accomplished even on cards protected with the so-called unhackable CHIP and PIN technology. PoS software developers are advised to implement self-protection techniques in their modules to prevent malicious code from tampering with the transactions managed by those modules. Additionally, all EMV validations must be implemented to protect against counterfeit fraud through authentication of unique data that resides on chip cards, smart phones, and other devices.