Overview:

• Phish Tale of the Week
• North Korean Hackers Could be About to Cash Out 41 Million in Stolen Bitcoin
• New WinRAR Zero-Day Vulnerability Could Install Malware When You Unzip Files
• How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors and come in many different forms. In this instance, we see a phishing scam targeting PayPal users with what appears to be a link that’s supposed to “reactivate your account.” PayPal says that our account has been limited, and clicking on this link is supposed to bring everything back to normal. There’s been unauthorized activity on our account, and the email seems urgent, so why don’t we click on that link and find out what’s been going on? Luckily, there’s plenty of reasons that point to this being a phishing scam.

Here’s how we can tell not to click on this link:

1. The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the sender utilized email spoofing in order to change their email to “service@intl.limited.com” in order to make it seem more legitimate. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
2. The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases like “we noticed some unusual activity” and “Please take action on your account soon.” Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
3. The final warning sign for this email is the lack of legitimate PayPal information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. This email lacks all of the parts of a credible PayPal email and can be immediately detected as a phishing attempt.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
• Do not give out personal or company information over the internet.
• Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

North Korean Hackers Could be About to Cash Out 40 Million in Stolen Bitcoin

The FBI has recently issued a warning concerning several cryptocurrency wallets believed to hold millions of dollars in stolen Bitcoin assets.

“Over the last 24 hours, the FBI tracked cryptocurrency stolen by the Democratic People’s Republic of Korea (DPRK) TraderTraitor-affiliated actors (also known as Lazarus Group and APT38),” the warning from August 22nd reads. “The FBI believes the DPRK may attempt to cash out the bitcoin worth more than $40 million dollars.”

This warning isn’t the first time the Lazarus Group has been in crypto-theft news either. The FBI reports that they’ve been behind several recent attacks, including:

1. June 22, 2023: They stole $60 million worth of virtual currency from Alphapo.
2. June 22, 2023: Another heist saw them steal $37 million worth of virtual currency from CoinsPaid.
3. June 2, 2023: They managed to steal $100 million in virtual currency from Atomic Wallet.

Previously, the hackers also stole assets in attacks against Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge, and were sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control in 2019.

The agency has pinpointed the six addresses currently being tracked that are holding the 1580 stolen Bitcoin:

1. 3LU8wRu4ZnXP4UM8Yo6kkTiGHM9BubgyiG
2. 39idqitN9tYNmq3wYanwg3MitFB5TZCjWu
3. 3NbdrezMzAVVfXv5MTQJn4hWqKhYCTCJoB
4. 3AAUBbKJorvNhEUFhKnep9YTwmZECxE4Nk
5. 3PjNaSeP8GzLjGeu51JR19Q2Lu8W2Te9oc
6. 34VXKa5upLWVYMXmgid6bFM4BaQXHxSUo

The FBI’s directive is clear: “Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses.” Interacting with these addresses, directly or indirectly, could inadvertently support illicit activities and fund criminal operations.

The Lazarus Group’s cryptocurrency heists make clear the apparent need to upscale security regarding cryptocurrency. It’s imperative that organizations take immediate action to enhance their crypto-related cybersecurity posture. This includes bolstering security training about cryptocurrency for all personnel, keeping record of cryptocurrency transactions, and keeping a close eye to what cryptocurrency wallets you and your organization interact with.

In these times, staying one step ahead in the ever-evolving world of cybersecurity isn’t just advisable—it’s essential. Your organization’s digital assets and financial future hinge on your proactive efforts to heighten awareness and be informed.

To read more about this article, click here.

New WinRAR Zero-Day Vulnerability Could Install Malware When You Unzip Files

If you’re a WinRAR user, it’s crucial to stay informed about a recent security concern that demands your immediate attention. Reports have surfaced regarding a zero-day vulnerability within WinRAR, a widely used software for compressing and decompressing files. This particular vulnerability, assigned the identifier CVE-2023-40477, stems from an issue related to the validation of user-supplied data when opening an archive file. It can lead to memory access beyond allocated buffers, a serious problem that enables attackers to exploit it, earning the vulnerability a high CVSS severity rating of 7.8.

This vulnerability was initially discovered by a vigilant security researcher known as “goodbyeselene” on June 8. In response, the software maintainers took swift action and released an updated version, WinRAR 6.23, on August 2, 2023, before the vulnerability was publicly disclosed by ZDI on August 17. This new version not only fixes the critical zero-day vulnerability but also addresses other security flaws that have come to light in recent months, including a flaw where “WinRAR could start a wrong file after a user double clicked an item in a specially crafted archive,” according to Group-IB researcher Andrey Polovinkin.

This zero-day vulnerability had significant implications, with threat actors using it to their advantage. They crafted ZIP archives designed to serve as carriers for various malware families. These weaponized ZIP archives were distributed on trading forums, and once extracted and executed, the embedded malware enabled threat actors to withdraw money from broker accounts. “By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families,” Polovinkin stated. “This vulnerability has been exploited since April 2023.”

To safeguard your personal or business computer, it’s imperative to take action immediately. Upgrade to WinRAR version 6.23, the release that addresses the vulnerability and several other security concerns. By keeping your software up to date and remaining cautious when dealing with unfamiliar files, you can reduce the risk of falling victim to such threats.

In conclusion, the WinRAR zero-day vulnerability serves as a reminder that threats are constantly updating, and that being safe from these threats requires you to stay up to date on recent vulnerabilities. Stay proactive, keep your software current, and exercise caution to protect your system from evolving threats. Your system’s security is in your hands.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.