The Week in Security: Malware gives remote access to air-gapped devices, cyber attackers target Italy

This week: Hackers use new malware to gain remote access to air-gapped devices. Also: Cybercriminals are using WikiLoader to attack Italian organizations.

This Week’s Top Story

Hackers use new malware to breach air-gapped devices in Eastern Europe

The last frontier of safety from remotely executed attacks, air-gapped devices, has been conquered. A quick online search on air-gapped devices tells you that they are computers or networks that are isolated from any external connection. To transfer any data to or from them, one needs a removable media device (a USB, for example). It seems foolproof, being totally removed from the wider world of connected devices. However, this this has now been shown to be just an illusion: State-sponsored Chinese hackers have created a new malware that can steal data from these air-gapped systems without the use of repelling, identity theft, or retina scans. Researchers at Kaspersky discovered this new malware and have linked it to the cyber-espionage group APT31, a.k.a. Zirconium.

The methodology of Zirconium is quite elaborate. Its attack is executed in three stages, using at least 15 distinct implants, plus the group’s iconic FourteenHi malware family. The first stage uses implants to establish persistence and remote access to the compromised systems while also collecting reconnaissance data. The second stage involves implanting a more specialized malware that can steal the data from the systems using USB propagation. Finally, to exfiltrate the data, the hackers use more implants to upload the stolen information to their command-and-control servers.

For those wondering about the details of the malware — roughly 15 of them, plus FourteenHi — Kaspersky has managed to study the Stage 1 and Stage 2 malware in close detail. Despite the large number of implants involved, the attacks remain stealthy and contain a multitude of tactics, techniques, and procedures (TTPs).

News Roundup

Here are the stories we’re paying attention to this week.

Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan (The Hacker News)

Organizations in Italy are being targeted by a phishing campaign that uses a new strain of the malware WikiLoader with the goal of installing Ursnif (Gozi), a banking Trojan, stealer, and spyware. The phishing campaigns center on the use of emails containing either Microsoft Excel, Microsoft OneNote, or PDF attachments. Once launched or downloaded, these attachments deploy WikiLoader, which in turn downloads Ursnif. This campaign appears to be ongoing and may be tricky to catch since WikiLoader is heavily obfuscated and comes with evasive maneuvers.

Pentagon investigating compromise in Air Force communications (CSO Online)

An engineer working at Arnold Air Force Base in Tennessee stole government radio technologies and gained unauthorized administrator access. The technologies were used to launch campaigns against the U.S. Department of Defense, affecting roughly 17 installations. This marks the second compromise of the Pentagon within three months.

US internet hosting company appears to facilitate global cybercrime, researchers say (CyberScoop)

Cloudzy, an Internet hosting company with a New York phone number, may be aiding hackers from Iran, Russia, and North Korea. The company either knowingly or unwittingly provides a platform for illicit digital activity, acting as a command-and-control provider. It is recommended that anyone doing business with Cloudzy pause as its legality comes into question.

Canon warns of Wi-Fi security risks when discarding inkjet printers (Bleeping Computer)

Canon is warning users of its ink-jet printers that the devices’ Wi-Fi network is vulnerable to exposure. The Wi-Fi connection settings stored in the devices’ memories were not wiped during the initialization process as they should have been. This flaw means that anyone who extracts the printer memory can gain many of the details of a user’s Wi-Fi network. The exact details that can be accessed vary from model to model, but most printers store at least the network SSID, the password, the network type (WPA3, WEP, etc.), the assigned IP address, the MAC address, and the network profile — enough information for a third party to gain unauthorized network access, steal data, and deploy a variety of malicious software.

Apple Users Open to Remote Control via Tricky macOS Malware (Dark Reading)

Apple users are vulnerable to remote control due to a new data-stealing malware with a sneaky approach that uses hidden virtual network computing (hVNC). The hVNC is a doppelgänger of VNC, which is typically used by IT teams to provide remote technical support to users. Once bad actors have remote control through the hVNC, they can access login credentials, personal data, financial information, and more. Most concerning is the malware’s resilience to system reboots and other methods of removal.