In this edition of our Threat Digest, we bring you a detailed overview of the latest cybersecurity developments. From the emergence of Turtle Ransomware’s targeting of macOS systems to Zyxel’s urgent response to critical NAS vulnerabilities, the landscape of cyberthreats continues to evolve. We additionally cover:  

• the significant disruption of the Qakbot malware by the DOJ and FBI, 
• the alarming new Cactus ransomware campaign,  
• critical vulnerabilities affecting both ownCloud and Google Chrome 
• Okta’s extensive data breach, 
• a novel RSA key vulnerability, 
• a severe security flaw in WPS Office, and 
• the concerning spread of the Atomic Stealer’s macOS campaign. 

Stay informed and proactive with our in-depth analysis of these critical cybersecurity issues. 

A new ransomware strain, “Turtle,” targeting macOS has been analyzed by Objective-See. Discovered on Nov. 29, it’s already flagged by numerous antivirus engines as malicious. Turtle Ransomware, found in an archive containing platform-specific files for Windows, Linux, and macOS, uses simple Mach-O executables for macOS. Although it’s adhoc-signed, allowing it to run on macOS, Apple’s Gatekeeper should block it unless explicitly permitted or exploited. The malware, written in Go, targets specific file types for encryption using AES in CTR mode. Although the average macOS user is unlikely to be impacted, the emergence of Turtle Ransomware highlights the increasing focus of ransomware authors on macOS platforms. 

Zyxel has issued updates for its network-attached storage (NAS) devices to address multiple security vulnerabilities, including three critical ones, which could allow attackers to execute operating system commands. These vulnerabilities affect NAS326 and NAS542 models, commonly used by small- to medium-sized businesses (SMBs), IT professionals, and digital artists for data storage and management. The critical vulnerabilities, identified as: 

• CVE-2023-35138, 
• CVE-2023-4473, and 
• CVE-2023-4474, 

enable unauthenticated attackers to execute commands via crafted URLs, posing a high risk of unauthorized access and control over the devices. Users are urged to upgrade their firmware to the latest versions. No additional mitigation or workarounds have been provided by Zyxel, making firmware updates the primary recommendation for securing the devices against these threats. 

The DOJ and FBI’s recent operation against the Qakbot malware and botnet resulted in a significant disruption but did not completely neutralize the threat. The operation, which involved removing malware from approximately 700,000 infected devices globally, including 200,000 in the U.S., did not lead to any arrests. This outcome raises concerns that the same threat actors might be behind potential spinoffs like DarkGate and PikaBot. The DOJ advises: 

• implementing multifactor authentication (MFA), 
• regular security training, 
• software updates, 
• strong passwords, 
• network traffic filtering, 
• a comprehensive recovery plan, and 
• adherence to the “3-2-1” backup rule to mitigate future threats. 

Individuals can also check for past Qakbot infections using resources like Have I Been Pwned. 

Arctic Wolf Labs reports a new Cactus ransomware campaign targeting publicly exposed installations of Qlik Sense, a business intelligence platform. The campaign exploits known vulnerabilities (CVE-2023-41266, CVE-2023-41265, CVE-2023-48365) for initial access. Attackers use the Qlik Sense Scheduler service to execute malicious activities, including downloading tools like ManageEngine UEMS, AnyDesk, and Plink for persistence and remote control. These intrusions involve PowerShell and BITS for further malicious downloads and actions such as changing admin passwords and establishing RDP tunnels. Arctic Wolf’s investigation, still ongoing, has detected early-stage activities of these attacks, linking them to the same actor responsible for Cactus ransomware deployment. This development emphasizes the importance of patching known vulnerabilities and maintaining vigilant cybersecurity practices. 

GreyNoise Labs has highlighted a critical vulnerability in ownCloud’s Graph API, identified as CVE-2023-49103 with a top severity rating of 10/10. This flaw, present in ownCloud versions 0.2.0 to 0.3.0, allows attackers to access admin passwords, mail server credentials, and license keys. Mass exploitation of this vulnerability has been observed since Nov. 25, 2023. The vulnerability stems from a third-party library in the “graphapi” app, revealing sensitive PHP environment configurations. Non-containerized ownCloud instances are vulnerable, while Docker containers before February 2023 are safe. Mitigation involves manual steps like deleting a directory and changing compromised secrets. ownCloud also disclosed other critical vulnerabilities, including an authentication bypass (CVE-2023-49105) and an oauth2 app-related flaw (CVE-2023-49104). Immediate action is recommended for organizations using ownCloud. 

Google has released an emergency update for Chrome to fix its sixth zero-day vulnerability of the year, CVE-2023-6345, which has already been exploited in attacks. The flaw, discovered by Google’s Threat Analysis Group, originates from an integer overflow in the Skia graphics library, which could lead to crashes or arbitrary code execution. This update, essential for safeguarding users against potential spyware campaigns often linked to state-sponsored actors, is being rolled out globally for Windows, Mac, and Linux. To minimize exploitation risks, Google is limiting access to the bug’s details until a majority have installed the update. Users can expect automatic updates, reinforcing Google’s commitment to combatting cyberthreats and enhancing browser security. 

Atomic Stealer, also known as AMOS, is targeting macOS users through ‘ClearFake,’ a deceptive campaign distributing malware via fake browser updates, as reported by Malwarebytes. This method, previously used in Windows attacks, involves tricking users into downloading a DMG file masquerading as a Safari or Chrome update. Once executed, it steals credentials and files. Originally identified by Randy McEoin and adapted for Mac, ClearFake’s expansion signifies a growing threat to macOS users, emphasizing the importance of using web protection tools for enhanced security. 

Okta’s investigation into a recent Help Center breach reveals extensive customer data exposure. Initially believed to impact less than 1% of clients, further analysis showed a report containing names, emails, and other details of all customer support system users was downloaded, including administrators, many without MFA. This breach extends to Okta certified users and employees, heightening risks for phishing or social engineering attacks. Okta recommends implementing robust MFA, strict session timeouts, and increased vigilance against phishing. This incident, following past attacks including source code theft and laptop access, underscores ongoing security challenges for Okta and its customers. 

Researchers from the University of California, San Diego, and MIT published their research which uncovered a passive method to extract private RSA host keys from SSH servers during connection establishment. This technique exploits natural computational faults, enabling attackers to compute private keys without detection. Known as a lattice-based key recovery fault attack, it has successfully exposed private keys of 189 RSA public keys across devices from Cisco, Hillstone Networks, Mocana, and Zyxel. This vulnerability poses a significant risk for secure data transmission, potentially leading to adversary-in-the-middle attacks. The study highlights the need for cryptographic best practices, such as early encryption of protocol handshakes and separation of authentication from encryption keys. The implementation of TLS version 1.3, which encrypts handshakes, is noted as an effective countermeasure against such vulnerabilities. 

A critical vulnerability (CVE-2023-31275) in WPS Office 11.2.0.11537 allows remote code execution (RCE) through an uninitialized pointer in handling Excel file Data elements. Discovered by Talos, this flaw, with a CVSS score of 8.8, can be exploited via a malformed file, leading to system compromise. The issue arises from a missing validation check for the mandatory Data element in the software, a popular productivity suite. Users of WPS Office are urged to update to patched versions to mitigate this high-severity security risk.