July 22nd: CloudMensis +++ Online storage services used for delivering malware +++ Vulnerabilities of the week

New malware backdoor: CloudMensis

ESET researchers first spotted the new malware in April 2022 and named it CloudMensis. Why? It uses pCloud, Yandex Disk, and Dropbox public cloud storage services for command-and-control (C2) communication. CloudMensis‘ capabilities clearly show that its operators‘ main goal is to collect sensitive information from infected Macs through various means. These include screenshots, exfiltration of documents and keystrokes, as well as listing email messages, attachments, and files stored from removable storage. CloudMensis can also bypass the macOS Transparency Consent and Control (TCC) system and „if SIP is enabled but the Mac is running any version of macOS Catalina earlier than 10.15.6, CloudMensis will exploit a vulnerability to make the TCC daemon (tccd) load a database CloudMensis can write to.“ The vulnerability it uses for this is a CoreFoundation bug tracked as CVE-2020–9934 and patched by Apple two years ago.

If you want to dig deeper into this new malware backdoor, here is our source material for you to enjoy: 

Hackers use trusted online storage services for delivering malware

Organizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google Drive – to conduct day-to-day operations. However, Unit42 research shows that threat actors are finding ways to take advantage of that trust to make their attacks extremely difficult to detect and prevent. When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.

The complete article can be read here:

Cloaked Ursa (APT29) Hackers Use Trusted Online Storage Services (paloaltonetworks.com)

Vulnerabilities of the week

Multiple vulnerabilities have been discovered in Google Chrome prior to 103.0.5060.134. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user.

Furthermore, Juniper Networks published 21 security advisories to inform customers about more than 200 vulnerabilities affecting its products last week. The security holes impact Junos OS (including on SRX, EX, PTX, QFX and MX series devices), Junos Space, Contrail Networking, and Northstar Controller products. Six advisories describe six high-severity vulnerabilities that are specific to Juniper products. All except one of these vulnerabilities can be exploited by an unauthenticated attacker on the network to cause a denial of service (DoS) condition. The remaining flaw can allow a local attacker authenticated with low privileges to take full control of the targeted device. There are also six advisories with an overall rating of „critical“ or „high severity“ that describe more than 200 issues affecting third-party components. The remaining advisories describe medium-severity issues affecting Junos OS.

Our advice: Please update now!

For more insights on the topic, feel free to check some of our trusted sources below:

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.

Simeon Mussler

Wir helfen Ihnen gerne persönlich bei der Spezifikation Ihrer Cybersecurity Anforderungen:

+49 (0)711 811-91494

Jetzt anfragen