Overview:

• Phish Tale of the Week
• New Security Vulnerability in R Language Allows Code Execution via RDS/RDX Files
• Lazarus Group’s New Cyber Attack Strategy: Kaolin RAT Delivered Through Fabricated Job Offers
• How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as Norton Security. The message politely thanks us for our “order,” gives us an order number, and sends a pdf of the reciept. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this pdf:

1. The first warning sign for this email is the fact that it includes a URL in the message. Typically, companies will send notifications like this through email, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
2. The second warning signs in this text is the messaging. This message tries to create a sense of confusion and urgency in order to get you to take action by using language such as “Thank you for your order.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link, or in this case pdf, without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attatchment sent through email.
3. The final warning sign for this email is the writing style. None of the sentences inside this message to us make any sense, and its very clear that this is not a real email from Norton. The email includes a fake order number in order to appear legitimate, but it is easily overshadowed by the overall lack of professionalism within the rest of the email. After taking one quick look at the email’s wording and the sender, who is very much not Norton, it’s very obvious that this email is an attempt at a phish.

General Recommendations:

A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
2. Verify that the sender is actually from the company sending the message.
3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
4. Do not give out personal or company information over the internet.
5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

New Security Vulnerability in R Language Allows Code Execution via RDS/RDX Files

A significant security flaw, identified as CVE-2024-27322, has been discovered in the R programming language that poses a severe threat by allowing arbitrary code execution through deserialization of specially crafted RDS and RDX files. This vulnerability has been rated with a high severity score of 8.8 by HiddenLayer and affects versions of R from 1.4.0 to 4.3.9.

The R programming language, widely used among statisticians, data analysts, and increasingly in the AI/ML sector, is susceptible to a deserialization vulnerability that enables maliciously crafted R Data Serialization (RDS) or R package files (RDX) to execute arbitrary code on a victim’s machine. This issue is particularly concerning due to R’s extensive use in critical data analysis and machine learning environments.

The vulnerability exploits the serialization (‘saveRDS’) and deserialization (‘readRDS’) functions in R, specifically through the misuse of promise objects and “lazy evaluation” techniques. Malicious actors can embed promise objects within the metadata of RDS files as expressions, which are then executed during the deserialization process. This attack vector requires some degree of social engineering, as the victim needs to be persuaded to open the malicious files. Alternatively, attackers could distribute infected packages on popular repositories, passively waiting for users to download them.

According to research by HiddenLayer, an alarming number of projects and major platforms such as those from Facebook, Google, Microsoft, and AWS include potentially vulnerable code, making the impact of CVE-2024-27322 potentially widespread. Over 135,000 R source files on GitHub were found to reference the readRDS function, often involving untrusted user data, which poses a significant risk of system compromise.

To address this vulnerability, the R Core Team released version 4.4.0 on April 24, 2024, which introduces restrictions on the use of promise objects in the serialization stream, effectively mitigating the risk of arbitrary code execution. For those unable to upgrade immediately, CERT/CC recommends running RDS/RDX files in isolated environments such as sandboxes or containers to safeguard against attacks. Organizations are urged to update to the latest version of R promptly to protect their systems and data.

The vulnerability is currently awaiting further analysis by NVD, and organizations are advised to monitor updates and adhere to security best practices when dealing with serialization and deserialization of data. As the cybersecurity landscape evolves, staying informed and proactive in patching and security measures remains critical for all users and developers in the R community.

To read more about this article, click here.

Lazarus Group’s New Cyber Attack Strategy: Kaolin RAT Delivered Through Fabricated Job Offers

The Lazarus Group, a North Korea-linked cyber threat actor, has once again drawn attention by using fabricated job offers to deploy a sophisticated new malware, the Kaolin Remote Access Trojan (RAT), across Asia during the summer of 2023. This development marks a continuation of the group’s notorious employment of deceptive recruitment tactics to compromise specific targets.

Detailed in a recent report by Avast security researcher Luigino Camastra, the Kaolin RAT not only encompasses standard remote access capabilities but also introduces advanced functionalities. These include altering the last write timestamps of files and dynamically loading DLL binaries received from its command-and-control (C2) server. This malware serves as a conduit for the more perilous FudModule rootkit, which exploits a recently patched vulnerability in the appid.sys driver, CVE-2024-21338.

The initial infection vector employed by Lazarus involves tricking targets into executing a malicious ISO file disguised as an Amazon VNC client setup. This file contains three components: an executable masquerading as a legitimate Windows application (“AmazonVNC.exe”), and two supporting files (“version.dll” and “aws.cfg”) that initiate the infection chain. Once executed, this setup side-loads the version.dll, which then spawns a process to inject a payload from aws.cfg. This payload, in turn, is designed to download additional malicious components from a hijacked domain, which then lead to the deployment of subsequent malware stages like RollFling and RollSling, as previously uncovered by Microsoft.

The infection chain does not stop with RollSling; it extends to RollMid, another loader designed to manage communications with multiple C2 servers, utilizing techniques such as steganography to conceal data within image files. The ultimate goal of these communications is to retrieve and execute the Kaolin RAT, further establishing the malware’s control over the compromised system.

The Kaolin RAT is equipped to perform a variety of operations, including file manipulation, process management, and command execution, showcasing Lazarus Group’s technical prowess and strategic planning in crafting multi-layered cyber attacks.

The technical sophistication behind Lazarus Group’s latest campaign reveals their continued investment in developing complex attack vectors aimed at circumventing modern security defenses. Camastra’s report highlights the group’s relentless innovation and significant resource allocation toward understanding and undermining Windows security mechanisms.

Given the Lazarus Group’s history and capability to adapt swiftly to security developments, their latest campaign underscores the importance of vigilance in the cybersecurity community. Organizations are urged to scrutinize unsolicited job communications and enhance their security protocols to guard against such sophisticated threats.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.